I am looking for the simplest way to pass the login name to a variable in a query. I want the $formMgrVZID$ to be the id that was used to login to splunk.
Index=”hrxref_data” sourcetype="HR_XREF" earliest=-45d (VZID="$formMgrVZID$" OR LVL1_VZID="$formMgrVZID$") | eval sk=if(VZID="$formMgrVZID$", "1", "2") | table sk, EMP_NAME, JOB_DESC, VZID, NT_USER_ID, SignonID | sort sk
This app worked great. I havent been able to send the value from whoami to a variable and need to keep repeating the code but the app worked well.
index="hrxref_data" sourcetype="HR_XREF" ([| whoami fieldname=MOID | fields MOID] OR [| whoami fieldname=LVL1_MOID | fields LVL1_MOID]) | eval sk=if([| whoami fieldname=MOID | fields MOID], "1", "2") | table sk, EMP_NAME, JOB_DESC, LOC_DESC, MOID, NT_USER_ID, SignonID | sort sk
it seems like I should be able to send the WHOAMI value to a variable and just use that.. Any insight would be great.
The App worked great if I enter it in the standard search but I am struggling to integrate it into my search string. The documentation is a little light.
sourcetype="HR_XREF" earliest=-45d (VZID=[|whoami fieldname=user|fields user] OR LVL1_VZID=[|whoami fieldname=user|fields user])| eval sk=if(VZID=[|whoami fieldname=user|fields user], "1", "2")
| table sk, EMP_NAME, JOB_DESC, VZID, NT_USER_ID, SignonID | sort sk
You might want to check out the whoami app: