Getting Data In

wmi WQL query using hostname variable

WinAdmin456
Engager

I am trying to get data into Splunk to show the members of the local / builtin windows groups. In particular "Administrators" and "Remote Desktop Users"

Utilizing the Splunk Forwarder. I am using a WMI (WQL) query to do this via wmi.conf (C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\wmi.conf)

This stanza currently works:

(FYI: Fakenameofserver = hostname)

disabled = 0
## Run once per day ## edited
interval = 86400
wql = ASSOCIATORS OF {win32_group.Domain="Fakenameofserver",Name="Administrators"} where assocClass=win32_groupuser Role=GroupCompOnent ResultRole=Partcomponent
index = window

I don't want to have to prefill the wql queries in the wmi.conf file with the server name on each server. How do i use an environmental or Splunk variable to replace "Fakenameofserver" with the name of the host the Splunk forwarder is running on. I have tried a number of combinations of $host, %host%, %servername%, %computername% etc etc.

Everytime i restart the forwarder to force the query to run i don't get any data into splunk and the log file says:

Error occurred while trying to retrieve results from a WMI query (error="Object cannot be found." HRESULT=80041002) (root\cimv2: ASSOCIATORS OF {win32_group.Domain="%VARIABLENAME%",Name="Remote Desktop Users"} where assocClass=win32_groupuser Role=GroupCompOnent ResultRole=Partcomponent)

 

Has anyone had success with this and can you suggest how i can get the stanza to resolve the variable into the value when it queries?
Where should i define the variables (if required) and what syntax do i use when writing these in the wql query?

Thanks for any suggestions.

Labels (3)
0 Karma
1 Solution

PickleRick
Ultra Champion

No. As I wrote before, there is no templating within the config file.

Some specific values can have "template values" like decideonstartup mentioned by you but that only works for that particular variable.

 

View solution in original post

0 Karma

PickleRick
Ultra Champion

Unless something changed lately and I missed it, splunk's support for environment variables is limited only to internal SPLUNK_* ones. So there is no mechanism built into splunk to resolve such variable.

The WQL query is provided as is so there is also no substitution there.

You'd best use some external tool (puppet, ansible...) to templatize the config and deploy the app.

0 Karma

WinAdmin456
Engager

Thanks for your reply.

Is there a way to create a variable within the splunk forwarder that could be used rather than trying to use a windows env variable.

I read about a way to decideonstartup the hostname and that could be referenced from the input.conf file. 

Or

Can i create a value in input.conf or another conf file that i can reference just to prove that the WMI query can resolve the variable in the query string?

0 Karma

PickleRick
Ultra Champion

No. As I wrote before, there is no templating within the config file.

Some specific values can have "template values" like decideonstartup mentioned by you but that only works for that particular variable.

 

0 Karma
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...