Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

whoami doesn't support external lookup?

soe_hlawin
Explorer
‎10-16-2013 03:37 AM

I have installed the app whoami. when I use it as a command from splunkweb search, it works as expected.

But when I want to use this command inside a python script which is invoked from splunkweb search (as an automated external lookup), this returns no search_user field. Moreover, if there is any CLI session on the linux server, the whoami command is returning that user than that of the splunkweb user.

Please suggest if there is any way to let whoami know to exclusively retun only the splunkweb user.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎10-16-2013 08:29 AM

The whoami app was written before the release of Splunk 4.3 for use in creating reports specific to current logged in user. When that version of Splunk introduced the rest command it obviated the need for the whoami app and I quit maintaining it.

Please use the rest command in place of the whoami custom search command going forward.

One way to use it would be to add the results to each event (one of the modes supported by whoami) using a join:

* | head 10 | join [ | rest splunk_server=local /services/authentication/current-context | rename username as auth_user_id | fields auth_user_id ]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎10-16-2013 08:29 AM

The whoami app was written before the release of Splunk 4.3 for use in creating reports specific to current logged in user. When that version of Splunk introduced the rest command it obviated the need for the whoami app and I quit maintaining it.

Please use the rest command in place of the whoami custom search command going forward.

One way to use it would be to add the results to each event (one of the modes supported by whoami) using a join:

* | head 10 | join [ | rest splunk_server=local /services/authentication/current-context | rename username as auth_user_id | fields auth_user_id ]
0 Karma
Reply
Solved! Jump to solution

bwooden
Splunk Employee
Splunk Employee
‎03-21-2014 11:31 AM

App removed.

Reply
Solved! Jump to solution

bwooden
Splunk Employee
Splunk Employee
‎03-21-2014 10:45 AM

Good point and/or request. I've just sent a note to splunkbase admin requesting app removal.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-21-2014 10:31 AM

could add a note to the top of the description or docs for this app, or remove the app entirely then?

Reply
Solved! Jump to solution

bwooden
Splunk Employee
Splunk Employee
‎10-16-2013 10:52 AM

This was just added to the rest command's example section: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rest#Examples

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...