Solved: Show column depends on the role

SathyaNarayanan · ‎01-09-2020

Hi Team,

I have table with 10 column, but want to show the column depends on the Splunk role.

Sample xml for my requirements.

<dashboard>
  <label>role based column</label>
  <search>
    <query>| rest splunk_server=local /services/authentication/current-context | table roles | mvexpand roles | search roles="*admin" </query>
    <done>
      <condition match="$job.resultCount$!==0">
        <set token="user">"sourcetype"</set>
      </condition>
      <condition match="$job.resultCount$==0">
        <set token="user">" "</set>
      </condition>
    </done>
  </search>
  <row>
    <panel>
      <table>
        <search>
          <query>index="_internal" | dedup sourcetype | table host sourcetype | fields host $user$</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>

In this when the admin login, he should see host and sourcetype column, when non-admin should see only host

Thanks in advance.

kamlesh_vaghela · ‎01-09-2020

@SathyaNarayanan

Can you please try this condition?

<condition match="'job.resultCount'==0">
         <set token="user"> </set>
       </condition>
       <condition>
         <set token="user">sourcetype</set>
       </condition>

UPDATED

You are comparing result count with NOT EQUAL TO ZERO . So your code is proper but there is only problem with !== sign only.

OLD Code: <condition match="$job.resultCount$!==0">

NEW Code: <condition match="$job.resultCount$!=0">

Just remove extra = 🙂

View solution in original post

vnravikumar · ‎01-09-2020

Hi

Check this

<dashboard>
   <label>role based column</label>
   <search>
     <query>| rest splunk_server=local /services/authentication/current-context | table roles | mvexpand roles | search roles="*admin" </query>
     <done>
       <condition match="'job.resultCount'!=0">
         <set token="user">"sourcetype"</set>
       </condition>
       <condition>
         <set token="user"></set>
       </condition>
     </done>
   </search>
   <row>
     <panel>
       <table>
         <search>
           <query>index="_internal" | dedup sourcetype |table host $user$</query>
           <earliest>-15m</earliest>
           <latest>now</latest>
         </search>
         <option name="drilldown">none</option>
         <option name="refresh.display">progressbar</option>
         <fields>host $user$</fields>
       </table>
     </panel>
   </row>
 </dashboard>

kamlesh_vaghela · ‎01-09-2020

@SathyaNarayanan

Can you please try this condition?

<condition match="'job.resultCount'==0">
         <set token="user"> </set>
       </condition>
       <condition>
         <set token="user">sourcetype</set>
       </condition>

UPDATED

You are comparing result count with NOT EQUAL TO ZERO . So your code is proper but there is only problem with !== sign only.

OLD Code: <condition match="$job.resultCount$!==0">

NEW Code: <condition match="$job.resultCount$!=0">

Just remove extra = 🙂

SathyaNarayanan · ‎01-09-2020

ya it worked for me , thank a lot for quick response,

I want to know whether $job.resultCount$ changed to 'job.resultCount' ?

kamlesh_vaghela · ‎01-09-2020

@SathyaNarayanan
Both $job.resultCount$ and 'job.resultCount' will work. Just check my updated answer.

Show column depends on the role

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann