$env:user_realname$

biers04 · ‎12-07-2017

I am currently creating a dashboard for users.

index=mcafee AND Customer=Yes AND signature!="[New*" AND ("Executable_,Fingerprint"!="submit_hash_clean.csv" AND "file_name"!="submit_hash_clean.csv")
| dedup "Workstation_,Name"
| eval TIME=strftime(time,"%Y-%m-%d %H:%M")
| stats earliest(TIME) count by "file_name", Executable,Fingerprint
| eventstats sum(count) AS total_host
| where count<11
| rename file_name AS "File Name", earliest(TIME) AS "First Seen", count AS Count
| table "File Name", "Executable_,Fingerprint", Count, "Set As Clean"
| eval "Set As Clean"="Clean"
| sort - Count

When a user Clicks "Clean" it auto runs a query that pushes the file hash and filename to a CSV so we no longer see the file name associated with that file hash.

My problem comes in as I need non-repudiation. I am looking to push the current users name into the CSV, but I cannot figure out how to do so push the current user to a table. If I can get it to a table, I'll know how to push their name into the CSV. Current command I am attempting to use is "$env:user_realname$" as it grabs the users name instead of login name. I'm not sure if making it a token or there is something I am missing here.

niketn · ‎12-07-2017

@biers04, int the drilldown outputlookup command that pushes required file hash and filename to lookup CSV please add the following eval as well prior to the outputlookup command. This will add Real User Name as a new column in the lookup file

<YourDrilldownQuery>
| eval username="$env:user_realname$"
| outputlookup <YourCSVFileName>

PS: If for some reason this does not work, please post the current query being used in your drilldown. Also add some sample data to be pushed in the lookup file.

Following is the run anywhere Simple XML dashboard with username column displaying the full name of the logged in user using Splunk environment variable i.e. $env:user_realname$

<dashboard>
  <label>Add User Name to Outputlookup</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval data="method=post, log_level=warn,action=purchase;method=get, log_level=info,action=inquiry;"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| KV
| eval username="$env:user_realname$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎12-07-2017

@biers04, int the drilldown outputlookup command that pushes required file hash and filename to lookup CSV please add the following eval as well prior to the outputlookup command. This will add Real User Name as a new column in the lookup file

<YourDrilldownQuery>
| eval username="$env:user_realname$"
| outputlookup <YourCSVFileName>

PS: If for some reason this does not work, please post the current query being used in your drilldown. Also add some sample data to be pushed in the lookup file.

Following is the run anywhere Simple XML dashboard with username column displaying the full name of the logged in user using Splunk environment variable i.e. $env:user_realname$

<dashboard>
  <label>Add User Name to Outputlookup</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval data="method=post, log_level=warn,action=purchase;method=get, log_level=info,action=inquiry;"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| KV
| eval username="$env:user_realname$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

biers04 · ‎12-07-2017

Brilliant! Thank you, was missing
eval username="$env:user_realname$" within the search macro.

biers04 · ‎12-07-2017

Actually, it appears that within the CSV, it returns just the literal string "$env:user_realname$"

My drilldown query is as follows:

biers04 · ‎12-07-2017

FYI to display usernames themselves it is

$env:user_realname$

(don't need the h1 tag). I just need a possible way to grab the h1 and push that to the csv as well.

biers04 · ‎12-07-2017

row panel html h1 id="User">$env:user_realname$

Did not realize it would not display toe row panel html h1 tag - reinserted here without the <>

Ingesting User Names

$env:user_realname$

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life