Yes, you can get this information via REST. (v4.3+)
Keep in mind the /services/authentication/users
endpoint will show details for all users if the user is an admin. So, use a subsearch to query for current logged-in user to narrow the users table down to the one user. Also, use splunk_server=local
to avoid unnecessary splunk system user lines from indexers:
rest /services/authentication/users splunk_server=local | search [| rest /services/authentication/current-context splunk_server=local | rename username as title | fields title]
This table row contains useful fields such as role
(multivalued field) and realname
that you can use. title
is the username. For example, you could pull out the realname
to narrow down a lookup file that has the full name stored in the UserFullName column:
| inputlookup my_lookup_to_narrow_down
| search [
rest /services/authentication/users splunk_server=local
| search [
rest /services/authentication/current-context splunk_server=local
| rename username as title
| fields title
]
| eval UserFullName=realname
| fields UserFullName
]
If you then used this search to power a dropdown on a dashboard, you now have a single dashboard that shows options relevant to only the logged-in user. Now you only have one csv lookup file to maintain, not a handful of different dashboards!
Yes, you can get this information via REST. (v4.3+)
Keep in mind the /services/authentication/users
endpoint will show details for all users if the user is an admin. So, use a subsearch to query for current logged-in user to narrow the users table down to the one user. Also, use splunk_server=local
to avoid unnecessary splunk system user lines from indexers:
rest /services/authentication/users splunk_server=local | search [| rest /services/authentication/current-context splunk_server=local | rename username as title | fields title]
This table row contains useful fields such as role
(multivalued field) and realname
that you can use. title
is the username. For example, you could pull out the realname
to narrow down a lookup file that has the full name stored in the UserFullName column:
| inputlookup my_lookup_to_narrow_down
| search [
rest /services/authentication/users splunk_server=local
| search [
rest /services/authentication/current-context splunk_server=local
| rename username as title
| fields title
]
| eval UserFullName=realname
| fields UserFullName
]
If you then used this search to power a dropdown on a dashboard, you now have a single dashboard that shows options relevant to only the logged-in user. Now you only have one csv lookup file to maintain, not a handful of different dashboards!