We use some lookup tables to whitelist and blacklist events by src_ip. I've created a view that allows a user to input a src_ip and have that added to the lookup table. The search looks like:
index="logentry" | head 1 | eval src_ip=$src_ip$ | eval status="blacklisted" | eval comment=$c
omment$ | inputlookup append=t ip_blacklist_lookup.csv | dedup src_ip | table src_ip,status,commen
t | outputlookup ip_blacklist_lookup.csv
Is it possible to automatically append the user who executes the search as a field in the data? I'd rather that users not have to enter (or fail to enter) their username.
Can a view run a search on load like a dashboard can? I suppose I could search the _internal index on page load for the most recent event of that page loading and get the username there. Would that require giving the user access to the _internal index or could the view run that search as Splunk itself?
Thx.
Craig