Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Pass token into search macro

biers04
Explorer
‎12-08-2017 06:04 AM

I created a search for pushing clean MD5 hashes to a CSV in order to filter out said MD5's. For non-repudiation purposes, I am attempting to send the current users name into the CSV as well.

To make it easier, the base search is below:

index=mcafee Customer=Yes AND signature!="[New*" AND ("ad.Executable_,Fingerprint"!="submit_hash_clean.csv" AND "file_name"!="submit_hash_clean.csv") $wild$
| dedup "Workstation_,Name"
| eval TIME=strftime(time,"%Y-%m-%d %H:%M")
| stats earliest(TIME) count by "Executable,Fingerprint"
| eventstats sum(count) as total_host
| where count<11
| rename "Executable_,Fingerprint" AS "File Hash", earliest(TIME) AS "First Seen", count AS Count
| table "File Hash", Count, "Set As Clean" "Username"
|eval "Set As Clean"="Clean"
| eval "Username"="$env:user_realname$"
| sort -Count

Then a search macro runs, pushing the MD5 to the CSV along with the file name (Command below). The issue I am having here is that the token $env:user_realname$ does not appear to be valid in the search macro. Username returns the literal string "$env:user_realname$" instead of the actual user name. If not in quotes, Username returns blank. I am not sure what I am missing.

| dedup "Executable_,Fingerprint"
| head 1
| table "file_name", "Executable_,Fingerprint", "Username"
| eval "Username"="$env:user_realname$"
| outputlookup append="true" submit_hash_clean.csv

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎12-08-2017 08:02 AM

You could do this instead of your current eval expression:

| appendcols 
[ | rest /services/authentication/current-context splunk_server=local
  | table username ]

Or set a token in in the XML as demonstrated here:
https://answers.splunk.com/answers/338919/how-do-i-get-the-current-logged-in-username-in-spl.html

View solution in original post

Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎12-08-2017 08:02 AM

You could do this instead of your current eval expression:

| appendcols 
[ | rest /services/authentication/current-context splunk_server=local
  | table username ]

Or set a token in in the XML as demonstrated here:
https://answers.splunk.com/answers/338919/how-do-i-get-the-current-logged-in-username-in-spl.html

Reply
Solved! Jump to solution

biers04
Explorer
‎12-08-2017 08:11 AM

So I will give you credit, you set me on the right path here. It did not quite work for me, but
| join [rest /services/authentication/current-context splunk_server=local | fields + username]
ended up working.

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎12-08-2017 08:16 AM

Glad you got it working!

Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...