Hi all,
I have just downloaded the app "SSL Certificate lookup" from splunk base and it's working fine. with following query:
| makeresults
| eval dest="myhost1, myhost2", dest = split(dest,",")
| lookup sslcert_lookup dest
| eval dayleft=round(ssl_validity_window/86400)
| table dest,dayleft, ssl_is_valid,ssl_issuer_common_name,ssl_self_issued,ssl_self_signed,ssl_version
However, myhost1, myhost2 is hardcoded in the initial query and I would like to dynamically pass as parameters all host matching a specific query: index=* host=*myserver*
I tried several things without success (subsearch, saved search, macro...), any idea how I could achieve that ?
Any help would be greatly appreciated !
The add-on simply provides an external lookup so you can do any search which generates such field. For example
| tstats values(host) as host where index=my_index
| mvexpand host
| lookup sslcert_lookup host
If I understand correctly though (I've never used this add-on myself), it launches and openssl s_client or something like that for each row of results to connect to an external server so you might want to be careful what you pipe to that command (especially if you have multiple rows with the same value - I'm not sure how it behaves in terms of caching results).
It depends on what you would like to base the search on.
If you want an input on a dashboard, use some $token$. If you want to use another search to determine the dest field, either use subsearch or, preferably, make an initial search part that fills that dest field. Hard to say how to do it if we don't know what you want to do 🙂
Thanks for your reply, the objective is mainly to generate SSL certificate alerts for a list of hosts.
I would like to avoid maintaining the hosts list manually (currently hardcoded in the query), so if it's possible to include it in a initial search or even in a subsearch it would be great.
For this initial I search how do I include it in my current query and how it pass the value as input in my "dest" field ?
I hope the need is clearer.
The add-on simply provides an external lookup so you can do any search which generates such field. For example
| tstats values(host) as host where index=my_index
| mvexpand host
| lookup sslcert_lookup host
If I understand correctly though (I've never used this add-on myself), it launches and openssl s_client or something like that for each row of results to connect to an external server so you might want to be careful what you pipe to that command (especially if you have multiple rows with the same value - I'm not sure how it behaves in terms of caching results).
I tried with your examples and I got an error:Error in 'lookup' command: Cannot find the source field 'host' in the lookup table 'sslcert_lookup'."
I assume it's not working since the macro is expecting "dest" as input, I get the following error message ". That 's why initially I wanted to get host result and pass it as input into "dest" but I didn't know how to proceed.
Did I miss something ?
Thanks for the help !
It finally worked with the following query:
| tstats values(host) as host where index="Myindex"
| mvexpand host
| eval dest=host
| lookup sslcert_lookup dest
| eval dayleft=round(ssl_validity_window/86400)
| table dest,dayleft, ssl_is_valid,ssl_issuer_common_name,ssl_self_issued,ssl_self_signed,ssl_version
to be noted it's throwing an error when the URL is not accessible so I need to handle the exception.
Thanks a lot !
Ahhh, right. You don't have to use eval. You can use the lookup as
| lookup sslcert_lookup dest AS host
(I forgot that if the field names differ between the event and the lookup you have to use the AS clause).