Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Current User Variable within Adaptive Response

ericl42
Path Finder
‎08-22-2019 08:37 AM

We're using an adaptive response rule to create tickets for our notable events. One item that I need is the current logged in user variable that I can call and then pass to the ticketing system.

I would prefer not to modify all of my correlation rules and insert the logged in user name there and just rely on an environment variable or another form. I've read a few articles and I know I can query the API via the command below to grab the information but I hope there is an easier way.

| rest /services/authentication/current-context splunk_server=local | fields username

I've also read some forum posts stating that $env:user$ should work. All of the examples I've seen are in XML and Dashboards. When I try to call that within my adaptive response rule either via Python code or alert action parameters, it doesn't work. It just prints out $env:user$ instead of any variable.

Most of my variables today follow the $result.something$ format since they are all in the notable event, but as I mentioned above, I would prefer not to have to insert that in all of my events.

What is the easiest way to get the logged in user variable via adaptive response/Python code?

0 Karma
Reply

solarboyz1
Builder
‎08-22-2019 12:35 PM

As I understand the question, you want the adaptive response to pass the name of the user who ran the search?

Based on the following, you should be able to use job tokens in your adaptive response:
https://docs.splunk.com/Documentation/SplunkCloud/latest/AdvancedDev/ModAlertsLog

Based on the following, the property $job.delegate$ should contain the name of the user who ran the search:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Search/ViewsearchjobpropertieswiththeJobInspector...

By default, the job.delegate value will be the scheduler.

0 Karma
Reply

ericl42
Path Finder
‎08-22-2019 12:41 PM

The notable events will be ran in the background as some system account. If Bob is logged in and working on a notable event, I was the logged in user variable to be Bob so I can auto assign the external ticket I create to him by passing his username variable.

If John is logged in doing a notable event, it should be John that is the user variable.

0 Karma
Reply

solarboyz1
Builder
‎08-22-2019 01:00 PM

So, if Bob is logged into Splunk, you want all correlation searches to pass Bob as the username to the adaptive response? I don't know of any way to accomplish that.

| rest /services/authentication/current-context splunk_server=local

Should only return the context of the user who ran the search, so if you added this to the correlation search I'd be interested to see what it returns for the scheduler. Since the schedule is running its searches under its own user context.

Even if in your script example using environment variables, the environment variable would be based on the user who is running the script, it would not have information about other users on the system. Which is really the challenge .

If only one user is logged in at a time, then you could look for all users who have active logins:
| rest /services/authentication/httpauth-tokens splunk_server=local | fields userName

After excluding all the system userNames, assuming the correlation search has access to the rest endpoint, and that only one user is logged in....this would give you the username of a user logged into Splunk at the time the correlation search ran.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...