I've come up with a solution for this.
First, we don't actually need to use 2 tokens. Going back to a single token allows Splunk to override the defaults when the page loads for the first time (or you refresh).
Second, when the page loads the token is null, so mvcount($token$) is null. We can use that by wrapping the evals in a <condition> block. This means when the page loads, the eval statements that clobber the values don't execute. Give it a shot.
<input type="multiselect" token="env" searchWhenChanged="true">
<delimiter> OR </delimiter>
<condition match=" !isnull(mvcount('form.env') ">
<eval token="form.env">case(mvcount('form.env')=0,"All",mvcount('form.env')>1 AND mvfind('form.env',"All")>0,"All",mvcount('form.env')>1 AND mvfind('form.env',"All")=0,mvfilter('form.env'!="All"),1==1,'form.env')</eval>
... View more
In my environment we have 1 domain set up. I worked around this issue by copying all the info from the configuration for our domain into the configuration for the default domain.
It's not an answer, but it might be a work-around if you only need to have a single domain configured for SA-ldapsearch.
... View more
I am trying to make a workflow action to look up IP addresses and hostnames in Active Directory.
Here's what I have so far, but it won't work:
| stats count | fields - count | eval inp="$@field_value$" | lookup dnslookup clientip AS inp OUTPUT clienthost AS hostname | lookup dnslookup clienthost AS inp OUTPUT clientip AS ip | ldapfilter domain="CONTOSO" search="(dNSHostName=*$hostname$*)" attrs="description,memberOf,distinguishedname" | table ip, hostname, description, distinguishedname, memberOf
my search first uses dnslookup to on the input field to get the hostname, and then again to get the ip address. After that it feeds the hostname into an ldapfilter command to search for objects with a matching dNSHostName. Finally it displays a table of the machine's IP, hostname, description (from AD), distinguishedname (from AD), and the groups it's a member of (from AD).
The problem is that when the workflow action is executed Splunk can't resist substituting the $hostname$ right off the bat, so I end up with this trying to execute:
| stats count | fields - count | eval inp="HLCDC02" | lookup dnslookup clientip AS inp OUTPUT clienthost AS hostname | lookup dnslookup clienthost AS inp OUTPUT clientip AS ip | ldapfilter domain="CONTOSO" search="(dNSHostName=**)" attrs="description,memberOf,distinguishedname" | table ip, hostname, description, distinguishedname, memberOf
Note that search="(dNSHostName=**)" is now malformed.
Based on other answers.splunk.com questions, I have tried adding extra dollar signs to $hostname$ to prevent it from evaluating. I got all the way up to $$$$$hostname$$$$$ before I gave up.
Is there some other way to work around this? Or some way to rework my search string to work within a workflow action?
... View more