Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Session variable
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there.Lets see if someone can help me with this. We have this requirement:
We have several saved searches and reports that need to be shown to a number of users, but with a slight change for different user groups. Lets say that the "change" is a value for a field, for instance Field1=$userField$ (maybe I could build a python command if that change isn't that simple, but that's not my question). What if I don't want to create a different app or saved search for each group, but get that userField value when the user logs. Are you following me?
One idea we had was to use query string values, we will publish splunk's url for each group like this: splunk.....?userField=value, and then use that value for every search. Maybe using a ServerSideInclude I can process that url and extract the value I need. The thing is that I can't find a way to keep this sort of Session variable, because I need it for every search the user use.
Is this possible? or is it maybe some easier way?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK. I haven't been able to do what I wanted. It seems there's be no way to store a value during the whole user session. The solution we've arrived so far is to embed a specially created view in some external web site, and call a saved search sending macro parameters. I mean, my saved search is something like:
index=some filterField=$filter$ | timechart count
and I embed the report on some html page of my own, like this:
<iframe src="http://splunk:8000/en-US/app/search/testFormView?q=|savedsearch %22MySavedSearch%22 filterField=FilterValue"
width="80%" height="500">
<p>Your browser does not support iframes.</p>
</iframe>
And this shows me the filtered report I wanted. This way I can get the FilterValue from the page, using JQuery or something else, thus limiting the amount of information showed to this particular user.
Can anyone think of a simpler solution?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK. I haven't been able to do what I wanted. It seems there's be no way to store a value during the whole user session. The solution we've arrived so far is to embed a specially created view in some external web site, and call a saved search sending macro parameters. I mean, my saved search is something like:
index=some filterField=$filter$ | timechart count
and I embed the report on some html page of my own, like this:
<iframe src="http://splunk:8000/en-US/app/search/testFormView?q=|savedsearch %22MySavedSearch%22 filterField=FilterValue"
width="80%" height="500">
<p>Your browser does not support iframes.</p>
</iframe>
And this shows me the filtered report I wanted. This way I can get the FilterValue from the page, using JQuery or something else, thus limiting the amount of information showed to this particular user.
Can anyone think of a simpler solution?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where can I find those UI experts?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds like you might need some kind of custom UI layer in front of splunk. Out of curiosity, where are you storing the information about who has access to what? If you could store that info in one or more lookup tables, that may aide in your solution, but it sounds rather complicated and not an out-of-the-box kind of thing. But hopefully the UI experts can give a better direction.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's more a domain issue. But you are right, certain user should only see certain data.
Suppose you have a saved search that returns a timechart for user hits to a database server. And as a server admin you may want to see every hit. But some user might want to see the exact same search, with the addition of "search databasename=DB_mine". Picture that for a lot of searches and databases (not the exact problem, It's simplified)
For the admin, I can create a formsearch, put a selector, show every database name and use it for filtering. But final users shouldn't be able to change that selection.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think it would be helpful if you elaborate a little more on what kind of differences you want to see per user? Is this a security-kind of requirement where only certain users should see certain data, or is it more that users should only see activities based on their assigned responsibility or roles?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
