Solved: search based on logged in user id

Sriram · ‎01-24-2012

I need to plug in the logged in user id and build a search query. How do I accomplish this ? I see
cherrypy.session['user']['name'] command provides something similar to this. How do I incorporate this command (or something similar) in my search query.

Thanks
Sriram

bwooden · ‎02-20-2012

There is a sneaky way this can be accomplished out of box using macros. I can explain that further if needed. I've also just uploaded an app called 'whoami'. Let me know how it works for you or if you have any feature requests or improvement ideas.

View solution in original post

Jason · ‎01-29-2013

You can also (in 4.3+) get this information from the rest command:

something like this will add a new username field to your events:

| join [rest /services/authentication/current-context splunk_server=local| fields + username]

bwooden · ‎02-20-2012

There is a sneaky way this can be accomplished out of box using macros. I can explain that further if needed. I've also just uploaded an app called 'whoami'. Let me know how it works for you or if you have any feature requests or improvement ideas.

Sriram · ‎05-21-2012

I sporadically get this error for some user ids. Any ideas why I am getting these. I am not sure whether it is id related or something else.
[subsearch]: External search command 'whoami'returned error code 1.
Here is the query.
index=cc_user_summary source=list_users [| whoami fieldname=userUid | fields userUid ] | dedup displayName

Sriram · ‎03-27-2012

This worked like a charm. Thank you very much.

search based on logged in user id

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases