Security

current user in search?

jgauthier
Contributor

Is is possible to pull the current user name for use in a search?
For instance, a search that would do something like 'sourcetype="blah" user=$user | stats galore'

My long term goal is to populate list =ers based on user, and their employees. That data would come from AD. I have authentication with LDAP already, so this should match up pretty easily.

Thanks!

Tags (1)
1 Solution

Paolo_Prigione
Builder

Here's a custom python command to get the current user's username: http://pastebin.com/dij6QWBR . Store it in a getUsername.py script in, e.g.:

etc/apps/search/bin/

and append this to your commands.conf:

[getusername]
filename = getUsername.py
passauth = true
run_in_preview = true
streaming = true
retainsevents = true

The syntax is as such:

... | getusername [field=\w+]

if field is not specified, a new "splunk_username" field will be created. The value of "field" will be used otherwise.

View solution in original post

AzJimbo
Path Finder

I think this is new in 6.5, but I've been able to set variables with an env call in xml

<row>
<panel>
 <html>
<h1>Welcome  $env:user_realname$ </h1>
You are logged in as $env:user$
</html>
</panel>
</row>

Paolo_Prigione
Builder

Here's a custom python command to get the current user's username: http://pastebin.com/dij6QWBR . Store it in a getUsername.py script in, e.g.:

etc/apps/search/bin/

and append this to your commands.conf:

[getusername]
filename = getUsername.py
passauth = true
run_in_preview = true
streaming = true
retainsevents = true

The syntax is as such:

... | getusername [field=\w+]

if field is not specified, a new "splunk_username" field will be created. The value of "field" will be used otherwise.

pablord
Engager

Hello Paolo,
Could you upload again getUsername.py?. It's deleted from the pastebin.net
thanks!

htkwan
Path Finder

Hello Paolo,
Would you please provide the getUserName.py again? It's deleted from the pastebin.net. Thanks.

jgauthier
Contributor

Wow. That totally worked. Thanks!

0 Karma

Paolo_Prigione
Builder

You can, without any custom command:

rest /services/authentication/current-context/context | fields + username

e.g.

| head 10 | join [rest /services/authentication/current-context/context | fields + username]

will add a new column, username, to every result

index=_internal [ rest /services/authentication/current-context/context | fields + username | rename username as user ]

will look for all the splunk logs for the current user

Paolo_Prigione
Builder

"rest" is a proper command, but it is available since v4.3 only (just checked in the docs). I'll paste the custom python command I was using with 4.2.x in another answer.

0 Karma

jgauthier
Contributor

That's a really interesting approach. but 'rest' is not a command for me. Is there a minimum version number, or configuration?

"Search operation 'rest' is unknown. You might not have permission to run this operation."

0 Karma

jgauthier
Contributor

Yes. The user logged into the web interface, potentially running reports.

0 Karma

fk319
Builder

I know that when I display my page, I see my user name. I looked and python has several known variables.
$SPLUNK_HOME/share/splunk/search_mrsparkle/modules/nav/AccountBar.html

so, it seems possiable to do your search with the username, at least in python.

0 Karma

jgauthier
Contributor

How would I expose python code to the search bar?

0 Karma

acdevlin
Communicator

Just to clarify, by "current user name" do you mean the user currently logged in to Splunk?

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...