Dashboards & Visualizations

Is It Possible to Assign a Token Value to a User or Role?

genesiusj
Builder

Hello,
We have a dashboard that monitors cost and fees for over 30 in-house applications. We need to have each application owner be only able to view their application and no other application owner's app.

index=$tok_index$
    AND FAILCODE=N
    AND (APPLICATIONNAME=$tok_payApp$ ....

$tok_pay$ is a selectable token from a dropdown input.

What we are looking for...
When user A. Smith clicks the dropdown they should only be able to see costingApp.
When user B. Jones clicks the dropdown they should only be able to see accountsApp.
etc....

I've checked the roles and capabilities doc page, https://docs.splunk.com/Documentation/Splunk/8.0.1/Security/Rolesandcapabilities, but could not find anything.

I also checked here, https://docs.splunk.com/Documentation/Splunk/8.0.1/Security/Addandeditroles#Specify_search_restricti.... Would this work with dashboards?

Is it feasible to create a conf file with a list of users and corresponding $tok_pay$ values, and assigning it for a particular dashboard? Maybe built into the dashboard's XML code; or via a JS or CSS file; or another mechanism?

We don't want the administrative burden of building and managing 30+ dashboards in order to fulfill this requirement to our application owners; and we don't want to create separate indexes, etc., to handle this either.

Any fezzes or other experts come across this requirement before?

Thanks in advance.
God bless,
Genesius

0 Karma
1 Solution

genesiusj
Builder

Figured it out. However, there are some caveats I never knew about.

First, create a lookup table payUserToApp.csv with the users' names and their apps.

payUser,payApp
user1,AG_MktOrg
user1,AG_MktDry
user1,AG_USA
user2,DO_DRTS
user2,DO_EEOH
user2,DO_HFEL
user2,DO_JMMP
user2,DO_PHEAL
user2,DO_PHILEP
user3,MV_VEHPP
user3,LS_MyLicense
user4,ORES_CenFormsRep

Second, create a macro current_user to find the user who is running (logged in).

| rest /services/authentication/current-context 
    | table username 
    | search username!=splunk-system-user 
    | return $username

Run this macro against the _audit index with a one minute time range. The results will be the list of their apps will be seen in the drop down.

index=_audit
    AND earliest=-1min
    AND latest=now()
    `current_user` 
| eval payUser = user 
| lookup payUserToApp.csv payUser OUTPUTNEW payApp 
| dedup payApp 
| table payApp
| mvexpand payApp

Now what I found interesting is that if I did not use the | mvexpand payApp at the end of the search my results would be concatenated.
Ex.: Without | mvexpand payApp
MV_VEHPPLS_MyLicense
With | mvexpand payApp
MV_VEHPP
LS_MyLicense

Is it the macro, the lookup table, or combination of the two that causes this behavior?

When I run a similar search, there is no need to run the | mvexpand payAppcommand.

index=linuxevents
AND source="/var/log/secure"
AND process="sshd"
| dedup host
| table host

Thanks and God bless,
Genesius

PS Unless someone has a better solution, I will make this as Accepted at the end of the week.

View solution in original post

genesiusj
Builder

Figured it out. However, there are some caveats I never knew about.

First, create a lookup table payUserToApp.csv with the users' names and their apps.

payUser,payApp
user1,AG_MktOrg
user1,AG_MktDry
user1,AG_USA
user2,DO_DRTS
user2,DO_EEOH
user2,DO_HFEL
user2,DO_JMMP
user2,DO_PHEAL
user2,DO_PHILEP
user3,MV_VEHPP
user3,LS_MyLicense
user4,ORES_CenFormsRep

Second, create a macro current_user to find the user who is running (logged in).

| rest /services/authentication/current-context 
    | table username 
    | search username!=splunk-system-user 
    | return $username

Run this macro against the _audit index with a one minute time range. The results will be the list of their apps will be seen in the drop down.

index=_audit
    AND earliest=-1min
    AND latest=now()
    `current_user` 
| eval payUser = user 
| lookup payUserToApp.csv payUser OUTPUTNEW payApp 
| dedup payApp 
| table payApp
| mvexpand payApp

Now what I found interesting is that if I did not use the | mvexpand payApp at the end of the search my results would be concatenated.
Ex.: Without | mvexpand payApp
MV_VEHPPLS_MyLicense
With | mvexpand payApp
MV_VEHPP
LS_MyLicense

Is it the macro, the lookup table, or combination of the two that causes this behavior?

When I run a similar search, there is no need to run the | mvexpand payAppcommand.

index=linuxevents
AND source="/var/log/secure"
AND process="sshd"
| dedup host
| table host

Thanks and God bless,
Genesius

PS Unless someone has a better solution, I will make this as Accepted at the end of the week.

Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...