Security

How do I get the current logged in username in Splunk?

renanprado96
Path Finder

How do I get the current username from Splunk?
Por exemplo, eu entrei como Obama, dai queria resgatar o nome Obama.
(For example, I log in as Obama, I want to retrieve the username Obama.)

1 Solution

chimell
Motivator

HI renanprado96
Go to setting-->User Interface- ->view click on new then fill a form
and use for example the advanced xml code below

  <view template="dashboard.html">
  <label>My Dashboard</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>
  <module name="HiddenSearch" layoutPanel="panel_row1_col1" group="Messages per minute last hour" autoRun="True">
   <param name="search">search | rest /services/authentication/current-context | table username</param>
   <param name="earliest">-1h</param>
   <module name="ResultsHeader">
     <param name="entityName">scanned</param>
     <param name="entityLabel">Events</param>
     <module name="FlashChart">
       <param name="height">180px</param>
       <param name="width">100%</param>
     </module>
   </module>
 </module>
</view>

After doing this , go to Setting-->User interface ->Navigation menu in the App context field , select your app and click on default Nav name
and enter this code :

<nav search_view="search" color="#FFFAAE">
  <view name="My-Dashboard" default='true' />
 </nav> 

You must install flash player to see your result

View solution in original post

Siddharth
Path Finder

Use this if you are working on Clustered environment 

|  rest /services/authentication/current-context splunk-server=local  | table username 

Use this if you are working on standalone environment

|  rest /services/authentication/current-context  | table username

0 Karma

landen99
Motivator

index=_internal [ rest /services/authentication/current-context/context local=t | fields + username | rename username as user | search user != "splunk-system-user" ] | dedup user | search user != "splunk-system-user" | table user

0 Karma

wrangler2x
Motivator
search index=_internal source="*web_access.log*" user!="-" | stats max(req_time) as lt, min(req_time) as ft by user
| eval epochft = strptime( ft, "%d/%b/%Y:%H:%M:%S.%3N %z" )
| eval firstTime = strftime(epochft, "%m/%d/%Y %H:%M:%S")
| eval epochlt = strptime( lt, "%d/%b/%Y:%H:%M:%S.%3N %z" )
| eval lastTime = strftime(epochlt, "%m/%d/%Y %H:%M:%S")
| eval firstTime = strftime( strptime( ft, "%d/%b/%Y:%H:%M:%S.%3N %z" ), "%m/%d/%Y %H:%M:%S")
| eval minutesAgo = round((now()-epochlt)/60,3)
| eval hoursOn = round((now()-epochft)/3600,2)
| fields user lastTime minutesAgo hoursOn firstTime
0 Karma

chimell
Motivator

HI renanprado96
Go to setting-->User Interface- ->view click on new then fill a form
and use for example the advanced xml code below

  <view template="dashboard.html">
  <label>My Dashboard</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>
  <module name="HiddenSearch" layoutPanel="panel_row1_col1" group="Messages per minute last hour" autoRun="True">
   <param name="search">search | rest /services/authentication/current-context | table username</param>
   <param name="earliest">-1h</param>
   <module name="ResultsHeader">
     <param name="entityName">scanned</param>
     <param name="entityLabel">Events</param>
     <module name="FlashChart">
       <param name="height">180px</param>
       <param name="width">100%</param>
     </module>
   </module>
 </module>
</view>

After doing this , go to Setting-->User interface ->Navigation menu in the App context field , select your app and click on default Nav name
and enter this code :

<nav search_view="search" color="#FFFAAE">
  <view name="My-Dashboard" default='true' />
 </nav> 

You must install flash player to see your result

chimell
Motivator

good thanks
don't forget to vote

0 Karma

askhat_pernebek
Path Finder

Hello. This method works good, but only for admins. I need it to work also for users. I already gave capability "dispatch_rest_to_indexers" to users. However can't get username. Help me pls

0 Karma

chanmi2
Path Finder

is it okay if do this dump search?

index="_audit" earliest=-30s [search index="unique"|stats count|eval count="*"|table count] | table user

enter unique string for different user, after doing that dump search, there would have record in _audit

0 Karma

javiergn
SplunkTrust
SplunkTrust

If you are in a distributed environment you might need to specify your Splunk server:

rest /services/authentication/current-context splunk_server=local

javiergn
SplunkTrust
SplunkTrust

This is what I would do:

  • Create new dashboard in your app
  • Add a Single Value panel to it (Shared in App)
  • Search String for the panel should be:

    | rest /services/authentication/current-context splunk_server=local
    | fields username

    • Set your dashboard as home page for your app (see this)
0 Karma

gyslainlatsa
Motivator

hi renanprado96,

This is an example of a query that returns the name of the current user, you can use it in your specific case

index=_internal [ rest /services/authentication/current-context/context | fields + username | rename username as user ] 

the most important query that returns the current user is this one

|rest /services/authentication/current-context/context

landen99
Motivator

That shows all of the users.

0 Karma

renanprado96
Path Finder

Hello friend,
I understood that this script returns the user name in a query. But actually I wanted to show the user name in HTML, the home page of an APP that I am creating.

0 Karma

askhat_pernebek
Path Finder

Can you help?
Your method works, but only for admin roles.
I need it to work for users too. I already added capability "dispatch_rest_to_indexers". However it does not get username.

0 Karma

nick405060
Motivator

That worked for me! (in a query) I had to modify it though:

index=_internal [ rest /services/authentication/current-context/context | fields + username | rename username as user ] | dedup user | search user != "splunk-system-user" | table user

landen99
Motivator

Better yet: 

index=_internal [ rest /services/authentication/current-context/context local=t | fields + username | rename username as user | search user != "splunk-system-user" ] | dedup user | search user != "splunk-system-user" | table user
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...