Is is possible to pull the current user name for use in a search?
For instance, a search that would do something like 'sourcetype="blah" user=$user | stats galore'
My long term goal is to populate list =ers based on user, and their employees. That data would come from AD. I have authentication with LDAP already, so this should match up pretty easily.
Thanks!
Here's a custom python command to get the current user's username: http://pastebin.com/dij6QWBR . Store it in a getUsername.py script in, e.g.:
etc/apps/search/bin/
and append this to your commands.conf:
[getusername]
filename = getUsername.py
passauth = true
run_in_preview = true
streaming = true
retainsevents = true
The syntax is as such:
... | getusername [field=\w+]
if field is not specified, a new "splunk_username" field will be created. The value of "field" will be used otherwise.
I think this is new in 6.5, but I've been able to set variables with an env call in xml
<row>
<panel>
<html>
<h1>Welcome $env:user_realname$ </h1>
You are logged in as $env:user$
</html>
</panel>
</row>
Here's a custom python command to get the current user's username: http://pastebin.com/dij6QWBR . Store it in a getUsername.py script in, e.g.:
etc/apps/search/bin/
and append this to your commands.conf:
[getusername]
filename = getUsername.py
passauth = true
run_in_preview = true
streaming = true
retainsevents = true
The syntax is as such:
... | getusername [field=\w+]
if field is not specified, a new "splunk_username" field will be created. The value of "field" will be used otherwise.
Hello Paolo,
Could you upload again getUsername.py?. It's deleted from the pastebin.net
thanks!
Hello Paolo,
Would you please provide the getUserName.py again? It's deleted from the pastebin.net. Thanks.
Wow. That totally worked. Thanks!
You can, without any custom command:
rest /services/authentication/current-context/context | fields + username
e.g.
| head 10 | join [rest /services/authentication/current-context/context | fields + username]
will add a new column, username, to every result
index=_internal [ rest /services/authentication/current-context/context | fields + username | rename username as user ]
will look for all the splunk logs for the current user
"rest" is a proper command, but it is available since v4.3 only (just checked in the docs). I'll paste the custom python command I was using with 4.2.x in another answer.
That's a really interesting approach. but 'rest' is not a command for me. Is there a minimum version number, or configuration?
"Search operation 'rest' is unknown. You might not have permission to run this operation."
Yes. The user logged into the web interface, potentially running reports.
I know that when I display my page, I see my user name. I looked and python has several known variables.
$SPLUNK_HOME/share/splunk/search_mrsparkle/modules/nav/AccountBar.html
so, it seems possiable to do your search with the username, at least in python.
How would I expose python code to the search bar?
Just to clarify, by "current user name" do you mean the user currently logged in to Splunk?