Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the best way to store user-specific preferences?

lmeloni
New Member
‎03-19-2017 09:08 AM

Hi everybody,

what's the best way to store user-specific preferences?
I need something like the "setup.xml" functionality, but to memorize settings independently for each user.
Is there a built-in way to do this? If not, can you suggest me a safe alternative approach?

Best regards!

0 Karma
Reply

adonio
Ultra Champion
‎03-25-2017 09:51 AM

you can create a lookup just by collecting your needed data and place it in a csv file. then upload the file to splunk. heres a link that explains how: http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Usefieldlookupstoaddinformationtoyoureve...
if you have the data within splunk from a different data source, you can create a search that collects the right data and arranges in a table, then use the outputlookup command to save it.
since you mentioned its a sensitive data, will recommend to restrict permissions on that lookup
Cheers

0 Karma
Reply

adonio
Ultra Champion
‎03-22-2017 01:23 PM

Hi lmeloni,
Can you elaborate on the use case? what do you mean by user-specific preferences?

0 Karma
Reply

lmeloni
New Member
‎03-22-2017 01:54 PM

Hi adonio,

by user-specific preference I mean, for example, every information that's stored in the "Edit account" page (time zone, default app etc.).

Let's say that I've got a certain set of extra preferences (e.g. home address, telephone number etc.), is there a way to extend the "Edit account" page to store them?
If the answer is no, is there any other way to safely store user-related data that might be sensitive and/or confidential?

Best regards!

0 Karma
Reply

adonio
Ultra Champion
‎03-22-2017 03:02 PM

Do you use LDAP for authentication?
Are you bringing in Active Directory data?
I think that your question has 2 parts:
a. information stores in "Edit account" configured in user-pref.conf and authorize.conf
b. like @somesoni mentioned is additional information about a user.
to store securely the user info you are asking for, many splunk clients use identities lookup.
you can easily create one based on Active Directory data if you have it, example here using SA-ldapsearch:
http://docs.splunk.com/Documentation/ES/4.5.2/User/AssetandIdentityExamples
can also use other data sources or searches against Active Directory when collecting with [admon].
if that answers your needs, let me know and ill post a full answer.

0 Karma
Reply

lmeloni
New Member
‎03-25-2017 07:10 AM

I'm not currently using LDAP authentication, just the default Splunk login method.
Identity lookups can probably accomplish what I need, but sadly I don't have an Active Directory; is it a necessary component for this approach?

0 Karma
Reply

somesoni2
Revered Legend
‎03-22-2017 01:59 PM

Are these preferences or additional information about logged in user?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...