Solved: resolving username from uid in a splunk query

mullica1 · ‎03-24-2021

Greetings-

I'm putting together a dashboard query that shows uid's and systems as a result. I would like to resolve that uid to a username, so the the dashboard output will be username and system. I have written a python script that when passed uid will return the username. What I'm stumbling with is calling it correctly and using the output. I've tried calling it as a script and a lookup, verified it is running but can't get it to do what I want. Can someone give me a shove in the right direction please?

scelikok · ‎03-24-2021

Hi @mullica1,

The best way to do is create a lookup file that contains all uid, system and usernames. You can update this lookup using your script with crontab. And use that lookup at the end of your dashboard search like below sample;

Lookup file sample;

uid_lookup.csv

uid,system,username
1001,host1,user1

| lookup uid_lookup.csv uid system OUTPUT username
| table username system

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

richgalloway · ‎03-24-2021

An external lookup should do the job. Have you looked at https://docs.splunk.com/Documentation/Splunk/8.1.3/Knowledge/Configureexternallookups ?

Please explain what you want it to do and what it is actually doing.

---
If this reply helps you, Karma would be appreciated.

mullica1 · ‎03-24-2021

Thanks I'll check the link, I've read till my eyes have bled.

Here's what I'm doing. A dashboard query similar to

sourcetype=linux_audit............. | stats by uid,host

which gives me a table of uid and hosts. Unfortunately the audit records in question don't have the user account name, just the uid. What I want to do is turn that table into user, host by passing the uid's to a python script like

import sys

import pwd

arg=int(sys.argv[1])

results=pwd.getpwuid(arg).pw_name

print(results)

My python scripts works as expected and I can call it from the command line with the expected results. I made an entry in transforms.conf.

what's tripping me up is how to invoke it correctly.

richgalloway · ‎03-24-2021

One cannot invoke an ordinary Python script from SPL. There is a protocol that Splunk uses to communicate with the script. Learn more at dev.splunk.com.

---
If this reply helps you, Karma would be appreciated.

scelikok · ‎03-24-2021

Hi @mullica1,

The best way to do is create a lookup file that contains all uid, system and usernames. You can update this lookup using your script with crontab. And use that lookup at the end of your dashboard search like below sample;

Lookup file sample;

uid_lookup.csv

uid,system,username
1001,host1,user1

| lookup uid_lookup.csv uid system OUTPUT username
| table username system

If this reply helps you an upvote and "Accept as Solution" is appreciated.

mullica1 · ‎03-24-2021

Only issue with that from what I see is if there is no value in the table for uid lookup, then nothing is returned. Which means that possibly an unresolved audit record will not be shown in the table. I was going to enhance my python script to return the uid if the lookup was unsuccessful, so at least the unresolved uid would be shown in the query.

mullica1 · ‎03-24-2021

Just proved myself wrong, I can user coalesce.

eval account=coalesce(account,uid)

if not found it will just list the uid. Thanks.

resolving username from uid in a splunk query

lookup

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!