Security

How do I get the current logged in username in Splunk?

Path Finder

How do I get the current username from Splunk?
Por exemplo, eu entrei como Obama, dai queria resgatar o nome Obama.
(For example, I log in as Obama, I want to retrieve the username Obama.)

1 Solution

Motivator

HI renanprado96
Go to setting-->User Interface- ->view click on new then fill a form
and use for example the advanced xml code below

  <view template="dashboard.html">
  <label>My Dashboard</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>
  <module name="HiddenSearch" layoutPanel="panel_row1_col1" group="Messages per minute last hour" autoRun="True">
   <param name="search">search | rest /services/authentication/current-context | table username</param>
   <param name="earliest">-1h</param>
   <module name="ResultsHeader">
     <param name="entityName">scanned</param>
     <param name="entityLabel">Events</param>
     <module name="FlashChart">
       <param name="height">180px</param>
       <param name="width">100%</param>
     </module>
   </module>
 </module>
</view>

After doing this , go to Setting-->User interface ->Navigation menu in the App context field , select your app and click on default Nav name
and enter this code :

<nav search_view="search" color="#FFFAAE">
  <view name="My-Dashboard" default='true' />
 </nav> 

You must install flash player to see your result

View solution in original post

0 Karma

Motivator
search index=_internal source="*web_access.log*" user!="-" | stats max(req_time) as lt, min(req_time) as ft by user
| eval epochft = strptime( ft, "%d/%b/%Y:%H:%M:%S.%3N %z" )
| eval firstTime = strftime(epochft, "%m/%d/%Y %H:%M:%S")
| eval epochlt = strptime( lt, "%d/%b/%Y:%H:%M:%S.%3N %z" )
| eval lastTime = strftime(epochlt, "%m/%d/%Y %H:%M:%S")
| eval firstTime = strftime( strptime( ft, "%d/%b/%Y:%H:%M:%S.%3N %z" ), "%m/%d/%Y %H:%M:%S")
| eval minutesAgo = round((now()-epochlt)/60,3)
| eval hoursOn = round((now()-epochft)/3600,2)
| fields user lastTime minutesAgo hoursOn firstTime
0 Karma

Motivator

HI renanprado96
Go to setting-->User Interface- ->view click on new then fill a form
and use for example the advanced xml code below

  <view template="dashboard.html">
  <label>My Dashboard</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>
  <module name="HiddenSearch" layoutPanel="panel_row1_col1" group="Messages per minute last hour" autoRun="True">
   <param name="search">search | rest /services/authentication/current-context | table username</param>
   <param name="earliest">-1h</param>
   <module name="ResultsHeader">
     <param name="entityName">scanned</param>
     <param name="entityLabel">Events</param>
     <module name="FlashChart">
       <param name="height">180px</param>
       <param name="width">100%</param>
     </module>
   </module>
 </module>
</view>

After doing this , go to Setting-->User interface ->Navigation menu in the App context field , select your app and click on default Nav name
and enter this code :

<nav search_view="search" color="#FFFAAE">
  <view name="My-Dashboard" default='true' />
 </nav> 

You must install flash player to see your result

View solution in original post

0 Karma

Motivator

good thanks
don't forget to vote

0 Karma

Path Finder

Hello. This method works good, but only for admins. I need it to work also for users. I already gave capability "dispatch_rest_to_indexers" to users. However can't get username. Help me pls

0 Karma

Path Finder

is it okay if do this dump search?

index="_audit" earliest=-30s [search index="unique"|stats count|eval count="*"|table count] | table user

enter unique string for different user, after doing that dump search, there would have record in _audit

0 Karma

SplunkTrust
SplunkTrust

If you are in a distributed environment you might need to specify your Splunk server:

rest /services/authentication/current-context splunk_server=local

SplunkTrust
SplunkTrust

This is what I would do:

  • Create new dashboard in your app
  • Add a Single Value panel to it (Shared in App)
  • Search String for the panel should be:

    | rest /services/authentication/current-context splunk_server=local
    | fields username

    • Set your dashboard as home page for your app (see this)
0 Karma

Motivator

hi renanprado96,

This is an example of a query that returns the name of the current user, you can use it in your specific case

index=_internal [ rest /services/authentication/current-context/context | fields + username | rename username as user ] 

the most important query that returns the current user is this one

|rest /services/authentication/current-context/context

Motivator

That shows all of the users.

0 Karma

Path Finder

Hello friend,
I understood that this script returns the user name in a query. But actually I wanted to show the user name in HTML, the home page of an APP that I am creating.

0 Karma

Path Finder

Can you help?
Your method works, but only for admin roles.
I need it to work for users too. I already added capability "dispatch_rest_to_indexers". However it does not get username.

0 Karma

Motivator

That worked for me! (in a query) I had to modify it though:

index=_internal [ rest /services/authentication/current-context/context | fields + username | rename username as user ] | dedup user | search user != "splunk-system-user" | table user

Motivator

Better yet: 

index=_internal [ rest /services/authentication/current-context/context local=t | fields + username | rename username as user | search user != "splunk-system-user" ] | dedup user | search user != "splunk-system-user" | table user
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!