How can I set a token to the current logged-in use...

jbrodsky_splunk · ‎10-03-2015

How can I retrieve the current username of a SplunkWeb user, and use that value in a token so that I can automatically customize subsequent searches on the dashboard to that username? I don't want to use any Javascript and I don't want to have to convert my dashboard to HTML to do this.

twollenslegel_s · ‎10-13-2017

Now there is a new option, $env:user$ Current user's user name

https://docs.splunk.com/Documentation/Splunk/7.0.0/Viz/tokens

There are some other useful tokens pre-defined by who is running the dashboard, most are available I think from 6.5+

Name Description
$env:user$ Current user's user name
$env:user_realname$ Current user full name.
$env:user_email$ Current user email address.
$env:app$ Current app context
$env:locale$ Current locale
$env:page$ Currently open page
$env:product$ Current instance product type
$env:instance_type$ Indicates whether the current instance is Splunk Cloud or an on-premises deployment
$env:is_cloud$ Indicates if the current instance is Splunk Cloud. This token is only set when "true".
$env:is_enterprise$ Indicates if the current instance is a Splunk Enterprise deployment. This token is only set when "true".
$env:is_hunk$ Indicates if the current instance is a Hunk deployment. This token is only set when "true".
$env:is_lite$ Indicates if the current instance is a Splunk Light deployment. This token is only set when "true".
$env:is_lite_free$ Indicates if the current instance is using a Splunk Light free license. This token is only set when "true".
$env:is_free$ Indicates if the current instance is using a Splunk Enterprise free license. This token is only set when "true".
$env:version$ Current instance product version

jbillings · ‎03-11-2019

$env:user$ only works some times. Sometimes it will pass the user ID of another logged on user.

jbrodsky_splunk · ‎10-03-2015

Here is some example code. You need to be running Splunk 6.3 or greater, and you use the "finalized" handler to set a token to the first search results from a REST search that returns the current username (in the field 'title'). The example also shows a "depends" on the table that never gets set ($neverdisplay$), so the table that runs the search remains hidden, although the search runs and the token gets populated.

With the example below you will have a new token called "loggedinuser" that you can then use throughout the rest of the dashboard.

<dashboard>
      <label>Token Tester</label>
      <row>
        <panel>
          <table depends="$neverdisplay$">
            <title>get a token</title>
            <search>
              <query>|rest /services/authentication/users splunk_server=local | search [| rest /services/authentication/current-context splunk_server=local | rename username as title | fields title]</query>
              <earliest>-60m</earliest>
              <latest>now</latest>
              <finalized>
                <set token="loggedinuser">$result.title$</set>
              </finalized>
            </search>
          </table>
        </panel>
        <panel>
          <title>Token Display</title>
          <html>
            <h3>Logged In User Token is...</h3>
              <div class="custom-result-value">$loggedinuser$</div>
          </html>
        </panel>
      </row>
    </dashboard>

How can I set a token to the current logged-in username in SimpleXML dashboards without using Javascript?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...