- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Re: Can I search based on the currently logged in ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you can get this information via REST. (v4.3+)
Keep in mind the /services/authentication/users endpoint will show details for all users if the user is an admin. So, use a subsearch to query for current logged-in user to narrow the users table down to the one user. Also, use splunk_server=local to avoid unnecessary splunk system user lines from indexers:
rest /services/authentication/users splunk_server=local | search [| rest /services/authentication/current-context splunk_server=local | rename username as title | fields title]
This table row contains useful fields such as role (multivalued field) and realname that you can use. title is the username. For example, you could pull out the realname to narrow down a lookup file that has the full name stored in the UserFullName column:
| inputlookup my_lookup_to_narrow_down
| search [
rest /services/authentication/users splunk_server=local
| search [
rest /services/authentication/current-context splunk_server=local
| rename username as title
| fields title
]
| eval UserFullName=realname
| fields UserFullName
]
If you then used this search to power a dropdown on a dashboard, you now have a single dashboard that shows options relevant to only the logged-in user. Now you only have one csv lookup file to maintain, not a handful of different dashboards!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you can get this information via REST. (v4.3+)
Keep in mind the /services/authentication/users endpoint will show details for all users if the user is an admin. So, use a subsearch to query for current logged-in user to narrow the users table down to the one user. Also, use splunk_server=local to avoid unnecessary splunk system user lines from indexers:
rest /services/authentication/users splunk_server=local | search [| rest /services/authentication/current-context splunk_server=local | rename username as title | fields title]
This table row contains useful fields such as role (multivalued field) and realname that you can use. title is the username. For example, you could pull out the realname to narrow down a lookup file that has the full name stored in the UserFullName column:
| inputlookup my_lookup_to_narrow_down
| search [
rest /services/authentication/users splunk_server=local
| search [
rest /services/authentication/current-context splunk_server=local
| rename username as title
| fields title
]
| eval UserFullName=realname
| fields UserFullName
]
If you then used this search to power a dropdown on a dashboard, you now have a single dashboard that shows options relevant to only the logged-in user. Now you only have one csv lookup file to maintain, not a handful of different dashboards!
Index This | Forward, I’m heavy; backward, I’m not. What am I?
A Guide To Cloud Migration Success
Join Us for Splunk University and Get Your Bootcamp Game On!
