I'm working on a dashboard in which the user enters a list of hosts. The issue I'm running into is they must add an asterisk to the host name or it isn't found in the search. This what the SPL look...
See more...
I'm working on a dashboard in which the user enters a list of hosts. The issue I'm running into is they must add an asterisk to the host name or it isn't found in the search. This what the SPL looks like. index=os_* (`wineventlog_security` OR sourcetype=linux_secure) host IN ( host1*, host2*, host3*, host4*, host5*, host6*, host7*, host8* ) earliest=-7d@d
| dedup host
| eval sourcetype=if(sourcetype = "linux_secure", sourcetype, source)
| fillnull value=""
| table host, index, sourcetype, _raw If there is no * then there are no results. What I would like to be able to do is have them enter hostname, FQDN, and either upper or lower case and the SPL would change it to lower case, remove any FQDN parts, add the *, and then search. So far I haven't come up with SPL that works. Any thoughts? TIA, Joe