Splunk Enterprise

Pass token into search macro

biers04
Explorer

I created a search for pushing clean MD5 hashes to a CSV in order to filter out said MD5's. For non-repudiation purposes, I am attempting to send the current users name into the CSV as well.

To make it easier, the base search is below:

index=mcafee Customer=Yes AND signature!="[New*" AND ("ad.Executable_,Fingerprint"!="submit_hash_clean.csv" AND "file_name"!="submit_hash_clean.csv") $wild$
| dedup "Workstation_,Name"
| eval TIME=strftime(time,"%Y-%m-%d %H:%M")
| stats earliest(TIME) count by "Executable
,Fingerprint"
| eventstats sum(count) as total_host
| where count<11
| rename "Executable_,Fingerprint" AS "File Hash", earliest(TIME) AS "First Seen", count AS Count
| table "File Hash", Count, "Set As Clean" "Username"
|eval "Set As Clean"="Clean"
| eval "Username"="$env:user_realname$"
| sort -Count

Then a search macro runs, pushing the MD5 to the CSV along with the file name (Command below). The issue I am having here is that the token $env:user_realname$ does not appear to be valid in the search macro. Username returns the literal string "$env:user_realname$" instead of the actual user name. If not in quotes, Username returns blank. I am not sure what I am missing.

| dedup "Executable_,Fingerprint"
| head 1
| table "file_name", "Executable_,Fingerprint", "Username"
| eval "Username"="$env:user_realname$"
| outputlookup append="true" submit_hash_clean.csv

Tags (1)
0 Karma
1 Solution

elliotproebstel
Champion

You could do this instead of your current eval expression:

| appendcols 
[ | rest /services/authentication/current-context splunk_server=local
  | table username ]

Or set a token in in the XML as demonstrated here:
https://answers.splunk.com/answers/338919/how-do-i-get-the-current-logged-in-username-in-spl.html

View solution in original post

elliotproebstel
Champion

You could do this instead of your current eval expression:

| appendcols 
[ | rest /services/authentication/current-context splunk_server=local
  | table username ]

Or set a token in in the XML as demonstrated here:
https://answers.splunk.com/answers/338919/how-do-i-get-the-current-logged-in-username-in-spl.html

biers04
Explorer

So I will give you credit, you set me on the right path here. It did not quite work for me, but
| join [rest /services/authentication/current-context splunk_server=local | fields + username]
ended up working.

0 Karma

elliotproebstel
Champion

Glad you got it working!

*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>