Dashboards & Visualizations

Passing a token to a saved report

MikeMefford
Explorer

Is there a way to pass a token from my dashboard (field1) text field that will have a username to a saved report (DSN Test Report)?

`<form>
  <label>DSN Test</label>
  <fieldset submitButton="true">
    <input type="text" token="field1">
      <label>field1</label>
    </input>
    <input type="time" token="field2">
      <label></label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>DSN Test</title>
        <search ref="DSN Test Report">
          <earliest>$field2.earliest$</earliest>
          <latest>$field2.latest$</latest>
          </search>
        <option name="count">50</option>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>
Tags (1)

davidwholland
New Member

I have a technique that seems to work...

As we all (for varying values of all) know - it appears you cannot use a "Run-As Owner" saved search inside a dashboard that accepts an argument. (See: https://answers.splunk.com/answers/454828/how-to-run-a-savedsearch-with-the-owner-permission.html )

However, that page does provide a hint of what is required, a "post process filter".

This page: https://www.tekstream.com/optimizing-splunk-dashboards-with-post-process-searches/ provides further details on post-processing.

In the end, this is what worked for me for this particular instance - and is likely applicable in other circumstances. (Note, this is Splunk v7.3.2)

We had have a group that does not have access to the wineventlog index, but needed access the 4740 EventCode. (I suppose we could of provided access via a search filter on the role with access to the index as well - maybe.)

Create a "Run-As Owner" report: (As an administrator, or other account that has access to the wineventlog index)

index=wineventlog  EventCode=4740 source="WinEventLog:Security" Security_ID="*"
| eval lockout = if( mvcount(Security_ID)=1, mvindex(Security_ID, 0), mvindex(Security_ID, 1))
| table _time, Caller_Computer_Name, lockout | sort - _time

Call it "REPORT-AccountLockouts", and give it a reasonable duration. (We used 30 days.).

Apply read permissions to the relevant less permissioned role, and - obviously - set permissions to "Run-As Owner".

The dashboard XML is then:

<form theme="dark">
  <label>Account Lockouts</label>
  <search ref="REPORT-AccountLockouts" id="baseSearch"></search>
  <fieldset submitButton="true">
    <input type="text" token="securityid" searchWhenChanged="true">
      <label>UserName</label>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Account Lockouts</title>
      <table>
        <search base="baseSearch">
          <query>| search lockout="*$securityid$"
                 | eval evtTime=strftime(_time, "%m/%d/%Y %I:%M:%S %p")
                 | rename evtTime AS Time, Caller_Computer_Name AS Computer, lockout AS UserName
                 | table Time, Computer, UserName
          </query>
        </search>
        <option name="count">25</option>
      </table>
    </panel>
  </row>
</form>

Obviously, this dashboard also needs read access to the less permissioned role.

The dashboard then provides access to all 4740 events, but also has a search box to narrow it down to specific users.

My understanding of how it works is Splunk performs the run-as owner search behind the scenes, and saves the results off to the side, since there is no direct reference to them in the dashboard. The results are then used as a source for the stanzas in the dashboard.

HTH

0 Karma

MikeMefford
Explorer

Unfortunately I didn't and ended up having to hand it off to our Splunk group for investigation and I don't believe they have even looked at it yet. I do think my issue has to do with the users permissions, but I don't control that piece. The Splunk group did mention something about using a Summary index possibly.

0 Karma

sdchakraborty
Contributor

your saved search should be like below(same as yours no change)

 index=main EventCode=4740 Account_Name=$field1$ 
 | eval Account_Name2=mvindex(Account_Name,1), mytime=_time
 | convert timeformat="%m-%d-%Y %I:%M:%S %p" ctime(mytime) 
 | dedup _time 
 | table Account_Name2, Caller_Computer_Name, mytime 
 | rename Account_Name2 AS "Account Locked Out", Caller_Computer_Name AS "Lockout Location", mytime AS "Date/Time"
 | sort _time

when you call the saved search in dashboard it should be like below, as field1 is the parameter name of teh saved search

 <search>
               <query>| savedsearch "DSN Test Report" field1="$form.field1$"</query>
               <earliest>$field2.earliest$</earliest>
               <latest>$field2.latest$</latest>
               </search>
0 Karma

MikeMefford
Explorer

Thank you very much! That is what I was wanting, but I'm still having an issue. I'm able to run the dashboard and get results, but my user is unable to get results (No Results). I've set the permissions on the saved search (report) to give their role "Read" access and to run the report as "Owner". Which is the way I have all their other reports set.

0 Karma

sdchakraborty
Contributor

From that user session try to run the saved search query by passing the account name and see whether its returning data. It may not be permission related, it may be query related.

0 Karma

MikeMefford
Explorer

sdchakraborty did you have any other ideas on my issue I'm having? I did some testing on your recommendations and posted the results above. Once again thank you for your help on this.

0 Karma

sdchakraborty
Contributor

Sorry I missed the email notification...Can you check whether you are running the search and dashboard from the same app or not? It cloud be permission issue. Also what is the visualization type for that panel? event table or statistical table? for your search it needs to statistical table.

Sid

0 Karma

MikeMefford
Explorer

The report and dashboard are in the same app. Visualization = Statistics Table

0 Karma

sdchakraborty
Contributor

Strange....Can you post the code for that dashboard panel?

0 Karma

MikeMefford
Explorer

Yeah this one has me a little stumped, usually pretty good at finding the issue or code to do what I want.

<form>
  <label>DSN Test</label>
  <fieldset submitButton="true">
    <input type="text" token="account_tok">
      <label>Account Name</label>
    </input>
    <input type="time" token="date_tok">
      <label>Date</label>
      <default>
        <earliest>-14d@d</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>DSN Test</title>
        <search>
          <query>| savedsearch "DSN Test" account_tok="$form.account_tok$"</query>
          <earliest>$date_tok.earliest$</earliest>
          <latest>$date_tok.latest$</latest>
        </search>
        <option name="count">50</option>
        <option name="drilldown">cell</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

MikeMefford
Explorer

It's account_tok I cleaned up the previous entries a little bit. Here is the saved search now:

index=main_sec EventCode=4740 Account_Name=$account_tok$
| eval Account_Name2=mvindex(Account_Name,1), mytime=_time
| convert timeformat="%m-%d-%Y %I:%M:%S %p" ctime(mytime) 
| dedup _time 
| table Account_Name2, Caller_Computer_Name, mytime 
| rename Account_Name2 AS "Account Locked Out", Caller_Computer_Name AS "Lockout Location", mytime AS "Date/Time"
| sort _time
0 Karma

MikeMefford
Explorer

Did anyone have any other thoughts on this?

0 Karma

wryanthomas
Contributor

I'm experiencing the same thing. My query is very much like yours. "No results found" if dashboard user doesn't have access to underlying index of referenced Report.

Did you find a solution, Mike?

0 Karma

sdchakraborty
Contributor

In your saved search definition you have account_tok as parameter name? Or it is field1? Are you calling the savedsearch in same way I mentioned above right?

0 Karma

maartendhondt
Explorer

@sdchakraborty I'm having the exact same issue.

It seems like a user can only run a savedsearch as the owner with <search ref="test"></search>.

As soon as this is changed to <search><query>| savedsearch "test"</query></search>, the user will always get the No results found. answer back which suggests the savedsearch is ran from the user instead of the owner.

Do you know of a way around that?

0 Karma

sdchakraborty
Contributor

Hi @maartendhondt / @MikeMefford ,

I will do some analysis on this and update you shortly.

Sid

0 Karma

sdchakraborty
Contributor

I just tried and its working for me. I think the issue is happening because of the earliest and latest time you are passing to that search?

  <search>
           <query>| savedsearch "DSN Test" account_tok="$form.account_tok$"</query>
           **<earliest>$date_tok.earliest$</earliest>
           <latest>$date_tok.latest$</latest>**
         </search>
0 Karma

maartendhondt
Explorer

When you got it working, did you restrict your user to not have access to the index? Only the owner should be allowed to search the index. That's the entire reason why I'm using a savedsearch.

0 Karma

dmuraleetcs
Explorer

I got stuck in similar issue, trying for other options. Savedsearch taking inputs but running it as user not as admin.

0 Karma

MikeMefford
Explorer

So I had the user run the saved search and they did get results. I did it a couple different ways 1. I totally removed the Account_Name= 2. I hardcoded a username in the Account_Name="???????" and on both they got results. Then I had them try the dashboard with it hard coded and they got "No Results".

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...