Splunk Enterprise

Ingesting User Names

biers04
Explorer

I am currently creating a dashboard for users.

index=mcafee AND Customer=Yes AND signature!="[New*" AND ("Executable_,Fingerprint"!="submit_hash_clean.csv" AND "file_name"!="submit_hash_clean.csv")
| dedup "Workstation_,Name"
| eval TIME=strftime(time,"%Y-%m-%d %H:%M")
| stats earliest(TIME) count by "file_name", Executable
,Fingerprint
| eventstats sum(count) AS total_host
| where count<11
| rename file_name AS "File Name", earliest(TIME) AS "First Seen", count AS Count
| table "File Name", "Executable_,Fingerprint", Count, "Set As Clean"
| eval "Set As Clean"="Clean"
| sort - Count

When a user Clicks "Clean" it auto runs a query that pushes the file hash and filename to a CSV so we no longer see the file name associated with that file hash.

My problem comes in as I need non-repudiation. I am looking to push the current users name into the CSV, but I cannot figure out how to do so push the current user to a table. If I can get it to a table, I'll know how to push their name into the CSV. Current command I am attempting to use is "$env:user_realname$" as it grabs the users name instead of login name. I'm not sure if making it a token or there is something I am missing here.

Tags (1)
0 Karma
1 Solution

niketn
Legend

@biers04, int the drilldown outputlookup command that pushes required file hash and filename to lookup CSV please add the following eval as well prior to the outputlookup command. This will add Real User Name as a new column in the lookup file

<YourDrilldownQuery>
| eval username="$env:user_realname$"
| outputlookup <YourCSVFileName>

PS: If for some reason this does not work, please post the current query being used in your drilldown. Also add some sample data to be pushed in the lookup file.

Following is the run anywhere Simple XML dashboard with username column displaying the full name of the logged in user using Splunk environment variable i.e. $env:user_realname$

<dashboard>
  <label>Add User Name to Outputlookup</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval data="method=post, log_level=warn,action=purchase;method=get, log_level=info,action=inquiry;"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| KV
| eval username="$env:user_realname$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@biers04, int the drilldown outputlookup command that pushes required file hash and filename to lookup CSV please add the following eval as well prior to the outputlookup command. This will add Real User Name as a new column in the lookup file

<YourDrilldownQuery>
| eval username="$env:user_realname$"
| outputlookup <YourCSVFileName>

PS: If for some reason this does not work, please post the current query being used in your drilldown. Also add some sample data to be pushed in the lookup file.

Following is the run anywhere Simple XML dashboard with username column displaying the full name of the logged in user using Splunk environment variable i.e. $env:user_realname$

<dashboard>
  <label>Add User Name to Outputlookup</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval data="method=post, log_level=warn,action=purchase;method=get, log_level=info,action=inquiry;"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| KV
| eval username="$env:user_realname$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

biers04
Explorer

Brilliant! Thank you, was missing
eval username="$env:user_realname$" within the search macro.

0 Karma

biers04
Explorer

Actually, it appears that within the CSV, it returns just the literal string "$env:user_realname$"

My drilldown query is as follows:

| dedup "Executable_,Fingerprint"
| head 1
| fillnull value="NULL"
| search NOT NULL
| table "file_name", "Executable_,Fingerprint", "Username"
| eval "Username"="$env:user_realname$"
| outputlookup append="true" submit_hash_clean.csv

0 Karma

biers04
Explorer

FYI to display usernames themselves it is

$env:user_realname$

(don't need the h1 tag). I just need a possible way to grab the h1 and push that to the csv as well.

0 Karma

biers04
Explorer

row panel html h1 id="User">$env:user_realname$

Did not realize it would not display toe row panel html h1 tag - reinserted here without the <>

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...