I created a search for pushing clean MD5 hashes to a CSV in order to filter out said MD5's. For non-repudiation purposes, I am attempting to send the current users name into the CSV as well.
To make it easier, the base search is below:
index=mcafee Customer=Yes AND signature!="[New*" AND ("ad.Executable_,Fingerprint"!="submit_hash_clean.csv" AND "file_name"!="submit_hash_clean.csv") $wild$
| dedup "Workstation_,Name"
| eval TIME=strftime(time,"%Y-%m-%d %H:%M")
| stats earliest(TIME) count by "Executable,Fingerprint"
| eventstats sum(count) as total_host
| where count<11
| rename "Executable_,Fingerprint" AS "File Hash", earliest(TIME) AS "First Seen", count AS Count
| table "File Hash", Count, "Set As Clean" "Username"
|eval "Set As Clean"="Clean"
| eval "Username"="$env:user_realname$"
| sort -Count
Then a search macro runs, pushing the MD5 to the CSV along with the file name (Command below). The issue I am having here is that the token $env:user_realname$ does not appear to be valid in the search macro. Username returns the literal string "$env:user_realname$" instead of the actual user name. If not in quotes, Username returns blank. I am not sure what I am missing.
| dedup "Executable_,Fingerprint"
| head 1
| table "file_name", "Executable_,Fingerprint", "Username"
| eval "Username"="$env:user_realname$"
| outputlookup append="true" submit_hash_clean.csv
You could do this instead of your current eval expression:
| appendcols
[ | rest /services/authentication/current-context splunk_server=local
| table username ]
Or set a token in in the XML as demonstrated here:
https://answers.splunk.com/answers/338919/how-do-i-get-the-current-logged-in-username-in-spl.html
You could do this instead of your current eval expression:
| appendcols
[ | rest /services/authentication/current-context splunk_server=local
| table username ]
Or set a token in in the XML as demonstrated here:
https://answers.splunk.com/answers/338919/how-do-i-get-the-current-logged-in-username-in-spl.html
So I will give you credit, you set me on the right path here. It did not quite work for me, but
| join [rest /services/authentication/current-context splunk_server=local | fields + username]
ended up working.
Glad you got it working!