Splunk Search

Capitalize every word of field in search results

aelliott
Motivator

I have a list of Cities in a field that are all lower case.
Is there a way to capitalize them in search?
Example:
los angeles needs to be Los Angeles
kansas city needs to be Kansas City
new york city needs to be New York City
san francisco needs to be San Francisco

Also need this for names too.. i have JOHN SMITH.. and JOHN R SMITH for example that need to be John Smith and John R Smith

Tags (3)
1 Solution

kristian_kolb
Ultra Champion

Not that I've tried it (yet), but I assume that a fieldX that holds an arbitrary string like in your examples could be formatted like so;

... | eval fieldX = lower(fieldX) | makemv delim=" " fieldX | mvexpand fieldX | eval A = substr(fieldX, 1, 1) | eval B = substr(fieldX,2) | eval A = upper(A) | eval fieldX = A.B | fields - A, B | mvcombine fieldX | eval fieldX = mvjoin(fieldX, " ")

maybe..

EDIT: Needed to remove the temp fields in order for the mvcombine to work

View solution in original post

kulick
Path Finder

If you want to avoid mvexpand/mvcombine (which have performance and capping risks), try this...

| makeresults | eval str="JOHN SMITH new york city dEvOnShIrE" 
| eval str=lower(str)
| rex mode=sed field=str "s/^([a-z])/__\1__/ s/ ([a-z])/ __\1__/g s/__a__/A/g s/__b__/B/g s/__c__/C/g s/__d__/D/g s/__e__/E/g s/__f__/F/g s/__g__/G/g s/__h__/H/g s/__i__/I/g s/__j__/J/g s/__k__/K/g s/__l__/L/g s/__m__/M/g s/__n__/N/g s/__o__/O/g s/__p__/P/g s/__q__/Q/g s/__r__/R/g s/__s__/S/g s/__t__/T/g s/__u__/U/g s/__v__/V/g s/__w__/W/g s/__x__/X/g s/__y__/Y/g s/__z__/Z/g"

Not the prettiest, but reasonably efficient, I'd guess.

kristian_kolb
Ultra Champion

Not that I've tried it (yet), but I assume that a fieldX that holds an arbitrary string like in your examples could be formatted like so;

... | eval fieldX = lower(fieldX) | makemv delim=" " fieldX | mvexpand fieldX | eval A = substr(fieldX, 1, 1) | eval B = substr(fieldX,2) | eval A = upper(A) | eval fieldX = A.B | fields - A, B | mvcombine fieldX | eval fieldX = mvjoin(fieldX, " ")

maybe..

EDIT: Needed to remove the temp fields in order for the mvcombine to work

kristian_kolb
Ultra Champion

It seems rather inefficient, and it probably is. However, since the string can be 1, 2, 3 or n words long, it's safest to build it like this, since (AFAIK) there is no foreach() functionality that can operate on the different values of a multivalued field directly. Or on the (single valued) field with a multiword string either for that matter.

/K

0 Karma

kristian_kolb
Ultra Champion

tested and works with the following strings in fieldX;

all work and no play makes jack a dull boy
ALL WORK AND NO PLAY MAKES JACK A DULL BOY
ALL wORK anD NO pLaY MaKeS JACk a dull bOy

they all come out as

All Work And No Play Makes Jack A Dull Boy

/k

0 Karma

aelliott
Motivator

search results, so if possible use of eval etc.

0 Karma

Ayn
Legend

Do you mean that the search results should be converted or that you have some kind of search input that needs to be converted?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...