Solved: Capitalize every word of field in search results

aelliott · ‎02-17-2014

I have a list of Cities in a field that are all lower case.
Is there a way to capitalize them in search?
Example:
los angeles needs to be Los Angeles
kansas city needs to be Kansas City
new york city needs to be New York City
san francisco needs to be San Francisco

Also need this for names too.. i have JOHN SMITH.. and JOHN R SMITH for example that need to be John Smith and John R Smith

kristian_kolb · ‎02-17-2014

Not that I've tried it (yet), but I assume that a fieldX that holds an arbitrary string like in your examples could be formatted like so;

... | eval fieldX = lower(fieldX) | makemv delim=" " fieldX | mvexpand fieldX | eval A = substr(fieldX, 1, 1) | eval B = substr(fieldX,2) | eval A = upper(A) | eval fieldX = A.B | fields - A, B | mvcombine fieldX | eval fieldX = mvjoin(fieldX, " ")

maybe..

EDIT: Needed to remove the temp fields in order for the mvcombine to work

View solution in original post

kulick · ‎04-28-2020

If you want to avoid mvexpand/mvcombine (which have performance and capping risks), try this...

| makeresults | eval str="JOHN SMITH new york city dEvOnShIrE" 
| eval str=lower(str)
| rex mode=sed field=str "s/^([a-z])/__\1__/ s/ ([a-z])/ __\1__/g s/__a__/A/g s/__b__/B/g s/__c__/C/g s/__d__/D/g s/__e__/E/g s/__f__/F/g s/__g__/G/g s/__h__/H/g s/__i__/I/g s/__j__/J/g s/__k__/K/g s/__l__/L/g s/__m__/M/g s/__n__/N/g s/__o__/O/g s/__p__/P/g s/__q__/Q/g s/__r__/R/g s/__s__/S/g s/__t__/T/g s/__u__/U/g s/__v__/V/g s/__w__/W/g s/__x__/X/g s/__y__/Y/g s/__z__/Z/g"

Not the prettiest, but reasonably efficient, I'd guess.

kristian_kolb · ‎02-17-2014

Not that I've tried it (yet), but I assume that a fieldX that holds an arbitrary string like in your examples could be formatted like so;

... | eval fieldX = lower(fieldX) | makemv delim=" " fieldX | mvexpand fieldX | eval A = substr(fieldX, 1, 1) | eval B = substr(fieldX,2) | eval A = upper(A) | eval fieldX = A.B | fields - A, B | mvcombine fieldX | eval fieldX = mvjoin(fieldX, " ")

maybe..

EDIT: Needed to remove the temp fields in order for the mvcombine to work

kristian_kolb · ‎02-17-2014

It seems rather inefficient, and it probably is. However, since the string can be 1, 2, 3 or n words long, it's safest to build it like this, since (AFAIK) there is no foreach() functionality that can operate on the different values of a multivalued field directly. Or on the (single valued) field with a multiword string either for that matter.

/K

kristian_kolb · ‎02-17-2014

tested and works with the following strings in fieldX;

all work and no play makes jack a dull boy
ALL WORK AND NO PLAY MAKES JACK A DULL BOY
ALL wORK anD NO pLaY MaKeS JACk a dull bOy

they all come out as

All Work And No Play Makes Jack A Dull Boy

/k

aelliott · ‎02-17-2014

search results, so if possible use of eval etc.

Ayn · ‎02-17-2014

Do you mean that the search results should be converted or that you have some kind of search input that needs to be converted?

Capitalize every word of field in search results

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes