Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Workflow action contains other $variables$, how do I escape them?

ktwombley
Explorer
‎03-19-2015 08:44 AM

I am trying to make a workflow action to look up IP addresses and hostnames in Active Directory.

Here's what I have so far, but it won't work:

| stats count | fields - count | eval inp="$@field_value$" | lookup dnslookup clientip AS inp OUTPUT clienthost AS hostname | lookup dnslookup clienthost AS inp OUTPUT clientip AS ip | ldapfilter domain="CONTOSO" search="(dNSHostName=*$hostname$*)" attrs="description,memberOf,distinguishedname" | table ip, hostname, description, distinguishedname, memberOf

my search first uses dnslookup to on the input field to get the hostname, and then again to get the ip address. After that it feeds the hostname into an ldapfilter command to search for objects with a matching dNSHostName. Finally it displays a table of the machine's IP, hostname, description (from AD), distinguishedname (from AD), and the groups it's a member of (from AD).

The problem is that when the workflow action is executed Splunk can't resist substituting the $hostname$ right off the bat, so I end up with this trying to execute:

| stats count | fields - count | eval inp="HLCDC02" | lookup dnslookup clientip AS inp OUTPUT clienthost AS hostname | lookup dnslookup clienthost AS inp OUTPUT clientip AS ip | ldapfilter domain="CONTOSO" search="(dNSHostName=**)" attrs="description,memberOf,distinguishedname" | table ip, hostname, description, distinguishedname, memberOf

Note that search="(dNSHostName=**)" is now malformed.

Based on other answers.splunk.com questions, I have tried adding extra dollar signs to $hostname$ to prevent it from evaluating. I got all the way up to $$$$$hostname$$$$$ before I gave up.

Is there some other way to work around this? Or some way to rework my search string to work within a workflow action?

Thanks.

Reply

sideview
SplunkTrust
SplunkTrust
‎03-19-2015 09:48 PM

If you hide the problematic syntax in a macro, I don't think workflow actions are able to expand macros so you should thus avoid the problem. 

| stats count | fields - count | eval inp="$@field_value$" | lookup dnslookup clientip AS inp OUTPUT clienthost AS hostname | lookup dnslookup clienthost AS inp OUTPUT clientip AS ip | `ldapfilter_macro` | table ip, hostname, description, distinguishedname, memberOf

PS. If the "CONTOSO" is actually variable, you can use a macro with a variable (ie ldapfilter_macro(CONTOSO) )

Reply

grittonc
Contributor
‎03-01-2018 06:24 AM

This is genius. I couldn't find this answer anywhere else. Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...