Hi guys. I've been trying to use a variable called "Time Period Variable" in my bash script, but im unable to make it work:

#!/bin/bash

ES EVENT Threshold

number=10

Time Period Variable

es_period=now-1d

Elasticsearch query - Value Count

es_query=$(curl -s --cacert /etc/elasticsearch/certs/ca.crt -u elastic:PASSWORD -XGET "https://elastic.local:9200/csco-fmc-ms/_search" -H 'Content-Type: application/json' -d'{ "from" : 0, "size" : 1000, "query": { "bool" : { "must" : { "wildcard" : { "@computed.message.keyword": "*" } }, "filter": { "range": { "@timestamp": { "gte": "$es_period", "lte": "now" } } } } }}')

Execution

if [[ "$es_query" -ge "$number" ]]; then
echo "Threshold violated!";
else
echo "Threshold not violated.";
fi

I've tried to escape the quote as so

"gte: \"$es_period\"

but this is to no avail.

Any ideas how I can tackle this?

Variable substitution does not work inside single quotes. You can try something like the follows:

es_query=$(curl -s --cacert /etc/elasticsearch/certs/ca.crt -u elastic:PASSWORD -XGET "https://elastic.local:9200/csco-fmc-ms/_search 1" -H 'Content-Type: application/json' -d'{ "from" : 0, "size" : 1000, "query": { "bool" : { "must" : { "wildcard" : { "@computed.message.keyword": "*" } }, "filter": { "range": { "@timestamp": { "gte": "'$es_period'", "lte": "now" } } } } }}')

Worked great, thank you.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.