Splunk Search

Workflow action contains other $variables$, how do I escape them?

ktwombley
Explorer

I am trying to make a workflow action to look up IP addresses and hostnames in Active Directory.

Here's what I have so far, but it won't work:

| stats count | fields - count | eval inp="$@field_value$" | lookup dnslookup clientip AS inp OUTPUT clienthost AS hostname | lookup dnslookup clienthost AS inp OUTPUT clientip AS ip | ldapfilter domain="CONTOSO" search="(dNSHostName=*$hostname$*)" attrs="description,memberOf,distinguishedname" | table ip, hostname, description, distinguishedname, memberOf

my search first uses dnslookup to on the input field to get the hostname, and then again to get the ip address. After that it feeds the hostname into an ldapfilter command to search for objects with a matching dNSHostName. Finally it displays a table of the machine's IP, hostname, description (from AD), distinguishedname (from AD), and the groups it's a member of (from AD).

The problem is that when the workflow action is executed Splunk can't resist substituting the $hostname$ right off the bat, so I end up with this trying to execute:

| stats count | fields - count | eval inp="HLCDC02" | lookup dnslookup clientip AS inp OUTPUT clienthost AS hostname | lookup dnslookup clienthost AS inp OUTPUT clientip AS ip | ldapfilter domain="CONTOSO" search="(dNSHostName=**)" attrs="description,memberOf,distinguishedname" | table ip, hostname, description, distinguishedname, memberOf

Note that search="(dNSHostName=**)" is now malformed.

Based on other answers.splunk.com questions, I have tried adding extra dollar signs to $hostname$ to prevent it from evaluating. I got all the way up to $$$$$hostname$$$$$ before I gave up.

Is there some other way to work around this? Or some way to rework my search string to work within a workflow action?

Thanks.

sideview
SplunkTrust
SplunkTrust

If you hide the problematic syntax in a macro, I don't think workflow actions are able to expand macros so you should thus avoid the problem.

| stats count | fields - count | eval inp="$@field_value$" | lookup dnslookup clientip AS inp OUTPUT clienthost AS hostname | lookup dnslookup clienthost AS inp OUTPUT clientip AS ip | `ldapfilter_macro` | table ip, hostname, description, distinguishedname, memberOf

PS. If the "CONTOSO" is actually variable, you can use a macro with a variable (ie ldapfilter_macro(CONTOSO) )

grittonc
Contributor

This is genius. I couldn't find this answer anywhere else. Thank you.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...