Splunk Search

How to dynamically pass as parameters all host matching a specific query: index=* host=*myserver*?

Julien22
Explorer

Hi all,

I have just downloaded the app "SSL Certificate lookup" from splunk base and it's working fine. with following query:

| makeresults
| eval dest="myhost1, myhost2", dest = split(dest,",")
| lookup sslcert_lookup dest
| eval dayleft=round(ssl_validity_window/86400)
| table dest,dayleft, ssl_is_valid,ssl_issuer_common_name,ssl_self_issued,ssl_self_signed,ssl_version

However, myhost1, myhost2 is hardcoded in the initial query and I would like to dynamically pass as parameters all host matching a specific query: index=* host=*myserver*

I tried several things without success (subsearch, saved search, macro...), any idea how I could achieve that ?
 Any help would be greatly appreciated !

Labels (3)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

The add-on simply provides an external lookup so you can do any search which generates such field. For example

| tstats values(host) as host where index=my_index
| mvexpand host
| lookup sslcert_lookup host

If I understand correctly though (I've never used this add-on myself), it launches and openssl s_client or something like that for each row of results to connect to an external server so you might want to be careful what you pipe to that command (especially if you have multiple rows with the same value - I'm not sure how it behaves in terms of caching results).

View solution in original post

0 Karma

PickleRick
SplunkTrust
SplunkTrust

It depends on what you would like to base the search on.

If you want an input on a dashboard, use some $token$. If you want to use another search to determine the dest field, either use subsearch or, preferably, make an initial search part that fills that dest field. Hard to say how to do it if we don't know what you want to do 🙂

0 Karma

Julien22
Explorer

Thanks for your reply, the objective is mainly to generate SSL certificate alerts for a list of hosts.

I would like to avoid maintaining the hosts list manually (currently hardcoded in the query), so if it's possible to include it in a initial search or even in a subsearch it would be great.

For this initial I search how do I include it in my current query and how it pass the value as input in my "dest" field ?

I hope the need is clearer.

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

The add-on simply provides an external lookup so you can do any search which generates such field. For example

| tstats values(host) as host where index=my_index
| mvexpand host
| lookup sslcert_lookup host

If I understand correctly though (I've never used this add-on myself), it launches and openssl s_client or something like that for each row of results to connect to an external server so you might want to be careful what you pipe to that command (especially if you have multiple rows with the same value - I'm not sure how it behaves in terms of caching results).

0 Karma

Julien22
Explorer

I tried with your examples and I got an error:Error in 'lookup' command: Cannot find the source field 'host' in the lookup table 'sslcert_lookup'."

I assume it's not working since the macro is expecting "dest" as input, I get the following error message ". That 's why initially I wanted to get host result and pass it as input into "dest" but I didn't know how to proceed.
Did I miss something ? 

Thanks for the help !

0 Karma

Julien22
Explorer

It finally worked with the following query:

| tstats values(host) as host where index="Myindex"
| mvexpand host
| eval dest=host
| lookup sslcert_lookup dest
| eval dayleft=round(ssl_validity_window/86400)
| table dest,dayleft, ssl_is_valid,ssl_issuer_common_name,ssl_self_issued,ssl_self_signed,ssl_version

to be noted it's throwing an error when the URL is not accessible so I need to handle the exception.

Thanks a lot !

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Ahhh, right. You don't have to use eval. You can use the lookup as

| lookup sslcert_lookup dest AS host

(I forgot that if the field names differ between the event and the lookup you have to use the AS clause).

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...