I am creating a dashboard to show all Linux command line history per user and I would like to create an input where you can type the user and if it matches anything in a case statement, it assigns a value to "source" and runs the search.
For example, I have two sources:
source=/root/.bash_history
source=/opt/splunk/.bash_history
I have a token $acct$ which holds the user that was typed in the input.
I wrote this search:
index=linux sourcetype=linux_cli
| eval search_source=case($acct$ == root, "/root/.bash_history", $acct$ == splunk, "/opt/splunk/.bash_history")
| search source=search_source
But this returns no results. How can I do this assignment during search?
Try this:
index=linux sourcetype=linux_cli
| eval search_source=case("$acct$" == "root", "/root/.bash_history", "$acct$" == "splunk", "/opt/splunk/.bash_history")
| where match(source, search_source)
OR use match:
index=linux sourcetype=linux_cli
| eval search_source=case(match("$acct$", "root"), "/root/.bash_history", match("$acct$", "splunk"), "/opt/splunk/.bash_history")
| where match(source, search_source)
Try this:
index=linux sourcetype=linux_cli
| eval search_source=case("$acct$" == "root", "/root/.bash_history", "$acct$" == "splunk", "/opt/splunk/.bash_history")
| where match(source, search_source)
OR use match:
index=linux sourcetype=linux_cli
| eval search_source=case(match("$acct$", "root"), "/root/.bash_history", match("$acct$", "splunk"), "/opt/splunk/.bash_history")
| where match(source, search_source)
Neither of these worked. Just to test I'm using literal text (instead of tokens) and running it in a search. The time is set for "All Time" and there were not results.
Updated answer, check now. If not working post some samples of source from your data.
They both work if you place double quotes around the token:
"$acct$" == "root"
Edit your response for any one else who ends up running into this. Thank you!
That's great! I updated my answer. Thank you.
@ricotries
Can you please try this?
index=linux sourcetype=linux_cli
| eval act=$acct$
| eval search_source=case(act="root", "/root/.bash_history", act="splunk", "/opt/splunk/.bash_history")
| where source=search_source
This did not work. It's not throwing any errors, it's just not returning anything.