- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I get the current username from Splunk?
Por exemplo, eu entrei como Obama, dai queria resgatar o nome Obama.
(For example, I log in as Obama, I want to retrieve the username Obama.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI renanprado96
Go to setting-->User Interface- ->view click on new then fill a form
and use for example the advanced xml code below
<view template="dashboard.html">
<label>My Dashboard</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="HiddenSearch" layoutPanel="panel_row1_col1" group="Messages per minute last hour" autoRun="True">
<param name="search">search | rest /services/authentication/current-context | table username</param>
<param name="earliest">-1h</param>
<module name="ResultsHeader">
<param name="entityName">scanned</param>
<param name="entityLabel">Events</param>
<module name="FlashChart">
<param name="height">180px</param>
<param name="width">100%</param>
</module>
</module>
</module>
</view>
After doing this , go to Setting-->User interface ->Navigation menu in the App context field , select your app and click on default Nav name
and enter this code :
<nav search_view="search" color="#FFFAAE">
<view name="My-Dashboard" default='true' />
</nav>
You must install flash player to see your result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use this if you are working on Clustered environment
| rest /services/authentication/current-context splunk-server=local | table username
Use this if you are working on standalone environment
| rest /services/authentication/current-context | table username
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=_internal [ rest /services/authentication/current-context/context local=t | fields + username | rename username as user | search user != "splunk-system-user" ] | dedup user | search user != "splunk-system-user" | table user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
search index=_internal source="*web_access.log*" user!="-" | stats max(req_time) as lt, min(req_time) as ft by user
| eval epochft = strptime( ft, "%d/%b/%Y:%H:%M:%S.%3N %z" )
| eval firstTime = strftime(epochft, "%m/%d/%Y %H:%M:%S")
| eval epochlt = strptime( lt, "%d/%b/%Y:%H:%M:%S.%3N %z" )
| eval lastTime = strftime(epochlt, "%m/%d/%Y %H:%M:%S")
| eval firstTime = strftime( strptime( ft, "%d/%b/%Y:%H:%M:%S.%3N %z" ), "%m/%d/%Y %H:%M:%S")
| eval minutesAgo = round((now()-epochlt)/60,3)
| eval hoursOn = round((now()-epochft)/3600,2)
| fields user lastTime minutesAgo hoursOn firstTime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI renanprado96
Go to setting-->User Interface- ->view click on new then fill a form
and use for example the advanced xml code below
<view template="dashboard.html">
<label>My Dashboard</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="HiddenSearch" layoutPanel="panel_row1_col1" group="Messages per minute last hour" autoRun="True">
<param name="search">search | rest /services/authentication/current-context | table username</param>
<param name="earliest">-1h</param>
<module name="ResultsHeader">
<param name="entityName">scanned</param>
<param name="entityLabel">Events</param>
<module name="FlashChart">
<param name="height">180px</param>
<param name="width">100%</param>
</module>
</module>
</module>
</view>
After doing this , go to Setting-->User interface ->Navigation menu in the App context field , select your app and click on default Nav name
and enter this code :
<nav search_view="search" color="#FFFAAE">
<view name="My-Dashboard" default='true' />
</nav>
You must install flash player to see your result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
good thanks
don't forget to vote
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello. This method works good, but only for admins. I need it to work also for users. I already gave capability "dispatch_rest_to_indexers" to users. However can't get username. Help me pls
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is it okay if do this dump search?
index="_audit" earliest=-30s [search index="unique"|stats count|eval count="*"|table count] | table user
enter unique string for different user, after doing that dump search, there would have record in _audit
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are in a distributed environment you might need to specify your Splunk server:
rest /services/authentication/current-context splunk_server=local
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is what I would do:
- Create new dashboard in your app
- Add a Single Value panel to it (Shared in App)
Search String for the panel should be:
| rest /services/authentication/current-context splunk_server=local
| fields username- Set your dashboard as home page for your app (see this)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi renanprado96,
This is an example of a query that returns the name of the current user, you can use it in your specific case
index=_internal [ rest /services/authentication/current-context/context | fields + username | rename username as user ]
the most important query that returns the current user is this one
|rest /services/authentication/current-context/context
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That shows all of the users.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello friend,
I understood that this script returns the user name in a query. But actually I wanted to show the user name in HTML, the home page of an APP that I am creating.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you help?
Your method works, but only for admin roles.
I need it to work for users too. I already added capability "dispatch_rest_to_indexers". However it does not get username.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked for me! (in a query) I had to modify it though:
index=_internal [ rest /services/authentication/current-context/context | fields + username | rename username as user ] | dedup user | search user != "splunk-system-user" | table user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Better yet:
index=_internal [ rest /services/authentication/current-context/context local=t | fields + username | rename username as user | search user != "splunk-system-user" ] | dedup user | search user != "splunk-system-user" | table user
