topic Re: wmi WQL query using hostname variable in Getting Data In

wmi WQL query using hostname variable

WinAdmin456 — Mon, 31 Jan 2022 06:29:17 GMT

I am trying to get data into Splunk to show the members of the local / builtin windows groups. In particular "Administrators" and "Remote Desktop Users"

Utilizing the Splunk Forwarder. I am using a WMI (WQL) query to do this via wmi.conf (C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\wmi.conf)

This stanza currently works:

(FYI: Fakenameofserver = hostname)

disabled = 0
## Run once per day ## edited
interval = 86400
wql = ASSOCIATORS OF {win32_group.Domain="Fakenameofserver",Name="Administrators"} where assocClass=win32_groupuser Role=GroupCompOnent ResultRole=Partcomponent
index = window

I don't want to have to prefill the wql queries in the wmi.conf file with the server name on each server. How do i use an environmental or Splunk variable to replace "Fakenameofserver" with the name of the host the Splunk forwarder is running on. I have tried a number of combinations of $host, %host%, %servername%, %computername% etc etc.

Everytime i restart the forwarder to force the query to run i don't get any data into splunk and the log file says:

Error occurred while trying to retrieve results from a WMI query (error="Object cannot be found." HRESULT=80041002) (root\cimv2: ASSOCIATORS OF {win32_group.Domain="%VARIABLENAME%",Name="Remote Desktop Users"} where assocClass=win32_groupuser Role=GroupCompOnent ResultRole=Partcomponent)

Has anyone had success with this and can you suggest how i can get the stanza to resolve the variable into the value when it queries?
Where should i define the variables (if required) and what syntax do i use when writing these in the wql query?

Thanks for any suggestions.

Re: wmi WQL query using hostname variable

PickleRick — Mon, 31 Jan 2022 07:09:01 GMT

Unless something changed lately and I missed it, splunk's support for environment variables is limited only to internal SPLUNK_* ones. So there is no mechanism built into splunk to resolve such variable.

The WQL query is provided as is so there is also no substitution there.

You'd best use some external tool (puppet, ansible...) to templatize the config and deploy the app.

Re: wmi WQL query using hostname variable

WinAdmin456 — Tue, 01 Feb 2022 06:19:23 GMT

Thanks for your reply.

Is there a way to create a variable within the splunk forwarder that could be used rather than trying to use a windows env variable.

I read about a way to decideonstartup the hostname and that could be referenced from the input.conf file.

Can i create a value in input.conf or another conf file that i can reference just to prove that the WMI query can resolve the variable in the query string?

Re: wmi WQL query using hostname variable

PickleRick — Tue, 01 Feb 2022 19:09:34 GMT

No. As I wrote before, there is no templating within the config file.

Some specific values can have "template values" like decideonstartup mentioned by you but that only works for that particular variable.