I am currently creating a dashboard for users.
index=mcafee AND Customer=Yes AND signature!="[New*" AND ("Executable_,Fingerprint"!="submit_hash_clean.csv" AND "file_name"!="submit_hash_clean.csv")
| dedup "Workstation_,Name"
| eval TIME=strftime(time,"%Y-%m-%d %H:%M")
| stats earliest(TIME) count by "file_name", Executable,Fingerprint
| eventstats sum(count) AS total_host
| where count<11
| rename file_name AS "File Name", earliest(TIME) AS "First Seen", count AS Count
| table "File Name", "Executable_,Fingerprint", Count, "Set As Clean"
| eval "Set As Clean"="Clean"
| sort - Count
When a user Clicks "Clean" it auto runs a query that pushes the file hash and filename to a CSV so we no longer see the file name associated with that file hash.
My problem comes in as I need non-repudiation. I am looking to push the current users name into the CSV, but I cannot figure out how to do so push the current user to a table. If I can get it to a table, I'll know how to push their name into the CSV. Current command I am attempting to use is "$env:user_realname$" as it grabs the users name instead of login name. I'm not sure if making it a token or there is something I am missing here.
@biers04, int the drilldown outputlookup
command that pushes required file hash and filename to lookup CSV please add the following eval as well prior to the outputlookup command. This will add Real User Name as a new column in the lookup file
<YourDrilldownQuery>
| eval username="$env:user_realname$"
| outputlookup <YourCSVFileName>
PS: If for some reason this does not work, please post the current query being used in your drilldown. Also add some sample data to be pushed in the lookup file.
Following is the run anywhere Simple XML dashboard with username
column displaying the full name of the logged in user using Splunk environment variable i.e. $env:user_realname$
<dashboard>
<label>Add User Name to Outputlookup</label>
<row>
<panel>
<table>
<search>
<query>| makeresults
| eval data="method=post, log_level=warn,action=purchase;method=get, log_level=info,action=inquiry;"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| KV
| eval username="$env:user_realname$"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</dashboard>
@biers04, int the drilldown outputlookup
command that pushes required file hash and filename to lookup CSV please add the following eval as well prior to the outputlookup command. This will add Real User Name as a new column in the lookup file
<YourDrilldownQuery>
| eval username="$env:user_realname$"
| outputlookup <YourCSVFileName>
PS: If for some reason this does not work, please post the current query being used in your drilldown. Also add some sample data to be pushed in the lookup file.
Following is the run anywhere Simple XML dashboard with username
column displaying the full name of the logged in user using Splunk environment variable i.e. $env:user_realname$
<dashboard>
<label>Add User Name to Outputlookup</label>
<row>
<panel>
<table>
<search>
<query>| makeresults
| eval data="method=post, log_level=warn,action=purchase;method=get, log_level=info,action=inquiry;"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| KV
| eval username="$env:user_realname$"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</dashboard>
Brilliant! Thank you, was missing
eval username="$env:user_realname$" within the search macro.
Actually, it appears that within the CSV, it returns just the literal string "$env:user_realname$"
My drilldown query is as follows:
| dedup "Executable_,Fingerprint"
| head 1
| fillnull value="NULL"
| search NOT NULL
| table "file_name", "Executable_,Fingerprint", "Username"
| eval "Username"="$env:user_realname$"
| outputlookup append="true" submit_hash_clean.csv
FYI to display usernames themselves it is
row panel html h1 id="User">$env:user_realname$
Did not realize it would not display toe row panel html h1 tag - reinserted here without the <>