All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Phantom Tanium: 'Variables' in query action

ng87
Path Finder
‎07-26-2019 05:50 AM

Trying to use the "Run Query" action from the Tanium app.

The problem I am having is specifying the hostname to be searched.

For example, this should be the search that gets sent to the server :

Get Trace Executed Processes from all machines with Computer Name equals MyHostname1

Obviously, as this is part of the playbook I want the hostname to be filled in from the CEF|Artifacts field.
Does anyone know if this is possible?

Tried the below that didn't work:

  Get Trace ..................  equals artifact.*.cef.sourceHostName
0 Karma
Reply

ansusabu
Communicator
‎08-19-2019 08:33 AM

You can use format block for defining the query. like,

Get Trace Executed Processes from all machines with Computer Name equals {0}

and define parameter of the format block as 'artifact.*.cef.sourceHostName'

Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
Top