Splunk Search

Workflow action contains other $variables$, how do I escape them?

Explorer

I am trying to make a workflow action to look up IP addresses and hostnames in Active Directory.

Here's what I have so far, but it won't work:

| stats count | fields - count | eval inp="$@field_value$" | lookup dnslookup clientip AS inp OUTPUT clienthost AS hostname | lookup dnslookup clienthost AS inp OUTPUT clientip AS ip | ldapfilter domain="CONTOSO" search="(dNSHostName=*$hostname$*)" attrs="description,memberOf,distinguishedname" | table ip, hostname, description, distinguishedname, memberOf

my search first uses dnslookup to on the input field to get the hostname, and then again to get the ip address. After that it feeds the hostname into an ldapfilter command to search for objects with a matching dNSHostName. Finally it displays a table of the machine's IP, hostname, description (from AD), distinguishedname (from AD), and the groups it's a member of (from AD).

The problem is that when the workflow action is executed Splunk can't resist substituting the $hostname$ right off the bat, so I end up with this trying to execute:

| stats count | fields - count | eval inp="HLCDC02" | lookup dnslookup clientip AS inp OUTPUT clienthost AS hostname | lookup dnslookup clienthost AS inp OUTPUT clientip AS ip | ldapfilter domain="CONTOSO" search="(dNSHostName=**)" attrs="description,memberOf,distinguishedname" | table ip, hostname, description, distinguishedname, memberOf

Note that search="(dNSHostName=**)" is now malformed.

Based on other answers.splunk.com questions, I have tried adding extra dollar signs to $hostname$ to prevent it from evaluating. I got all the way up to $$$$$hostname$$$$$ before I gave up.

Is there some other way to work around this? Or some way to rework my search string to work within a workflow action?

Thanks.

SplunkTrust
SplunkTrust

If you hide the problematic syntax in a macro, I don't think workflow actions are able to expand macros so you should thus avoid the problem.

| stats count | fields - count | eval inp="$@field_value$" | lookup dnslookup clientip AS inp OUTPUT clienthost AS hostname | lookup dnslookup clienthost AS inp OUTPUT clientip AS ip | `ldapfilter_macro` | table ip, hostname, description, distinguishedname, memberOf

PS. If the "CONTOSO" is actually variable, you can use a macro with a variable (ie ldapfilter_macro(CONTOSO) )

Contributor

This is genius. I couldn't find this answer anywhere else. Thank you.

0 Karma