Pass login id to query

james_j_taylor · ‎09-12-2013

I am looking for the simplest way to pass the login name to a variable in a query. I want the $formMgrVZID$ to be the id that was used to login to splunk.

This query has the variables (SformMgrVZID$)

Index=”hrxref_data” sourcetype="HR_XREF" earliest=-45d (VZID="$formMgrVZID$" OR LVL1_VZID="$formMgrVZID$") | eval sk=if(VZID="$formMgrVZID$", "1", "2") | table sk, EMP_NAME, JOB_DESC, VZID, NT_USER_ID, SignonID | sort sk

james_j_taylor · ‎10-24-2013

This app worked great. I havent been able to send the value from whoami to a variable and need to keep repeating the code but the app worked well.

it seems like I should be able to send the WHOAMI value to a variable and just use that.. Any insight would be great.

james_j_taylor · ‎09-12-2013

The App worked great if I enter it in the standard search but I am struggling to integrate it into my search string. The documentation is a little light.

sowings · ‎09-12-2013

You might want to check out the whoami app:

http://apps.splunk.com/app/915

Pass login id to query

This query has the variables (SformMgrVZID$)

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!