Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Get the roles from rest API and set to field in search

bhupalbobbadi
Path Finder
‎08-08-2019 05:00 PM

I need to get the roles assigned to current logged in user and set the value to filed in search. Anybody has any idea. I tried the following and got the error.

|makeresults|eval rls=[|rest /services/authentication/current-context |eval rls="\"".roles."\""|eval user="\"".username."\""|eval rlss=mvjoin(roles,",")|return $rlss]

but got the error : Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression
not much details in logs.

Anybody has any idea how to fix this?

TIA.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nareshinsvu
Builder
‎08-08-2019 05:31 PM

Why can't rlss be your new field? No need to makeresult and append your results to another filed again. Are you not missing few roles with your sub-query? Can you try this?

|rest /services/authentication/current-context|mvexpand roles | eval rlss="\""+roles+","+username+"\"" | fields rlss

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nareshinsvu
Builder
‎08-08-2019 05:31 PM

Why can't rlss be your new field? No need to makeresult and append your results to another filed again. Are you not missing few roles with your sub-query? Can you try this?

|rest /services/authentication/current-context|mvexpand roles | eval rlss="\""+roles+","+username+"\"" | fields rlss
0 Karma
Reply
Solved! Jump to solution

bhupalbobbadi
Path Finder
‎08-08-2019 05:52 PM

Thanks Naresh, Your query producing results, but my requirement is get and assign all roles (comma separated string value) for the current user and set it to a field in main query.

0 Karma
Reply
Solved! Jump to solution

nareshinsvu
Builder
‎08-08-2019 06:25 PM

Will this help? This will append rlss as a new column to your outside query

|makeresults|appendcols [|rest /services/authentication/current-context|mvexpand roles |  eval rlss="\""+roles+","+username+"\"" | fields rlss]
Reply
Solved! Jump to solution

nareshinsvu
Builder
‎08-08-2019 06:56 PM

Alternatively if you want to do some comparisions with the subsearch, best way is to route the results to a lookup and then compare. Small example below

|makeresults [|rest /services/authentication/current-context|mvexpand roles |  eval rlss=+roles+","+username | fields rlss username | dedup  rlss| outputlookup rlss.csv] | eval mainuser="splunk-system-user" | lookup rlss.csv username as  mainuser
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...