Determine currently logged in username


How do I determine the username of the currently logged in user from a python script? Elsewhere we are using scripted auth and that python script has several methods that Splunk calls and passes in the username; each method makes a HTTP POST to a REST API running on one of our servers. We need to use a similar approach to what we do in scripted auth's getUserInfo method, but have it be invoked from a custom command (defined in commands.conf), which means that the username won't be passed in. I assume that there is some way to get the current username, just haven't been able to find it yet. Thanks for any pointers,


Tags (2)
0 Karma


You can extract it from the auth token.

First, in the definition of your search command in commands.conf, set

filename =
passauth = true

Your script will then receive a token that looks like:


(Note: The auth token will actually be in a single line with no whitespace. The above formatting is only for readability.)

Once you have that, it's just a matter of extracting the username from the string. For example, if you're using InterSplunk:

import splunk.Intersplunk as si
results, dummyresults, settings = si.getOrganizedResults()
authString = settings.get("authString", None)
if authString != None:
  start = authString.find('<userId>') + 8
  stop = authString.find('</userId>')
  user = authString[start:stop]


Is there any pre-req in order to use the above script? I inserted to my .py and return error code 1.

0 Karma

New Member

It looks like settings["owner"] will directly gives the user ID.

import splunk.Intersplunk
results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults()
splunk.Intersplunk.outputResults([{"user": settings["owner"]}])

0 Karma

Splunk Employee
Splunk Employee

Did you try the cherrypy session object?

import cherrypy

user = cherrypy.session['user'].get('name')


I tried your method, but received an error. Any ideas on the following?

AttributeError: 'module' object has no attribute 'session'

0 Karma


BTW, we are currently on Splunk 4.1.4 in case that changes things

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!