Splunk Search

How can I modify my stats search to count all variations of a field value with upper and lowercase text as a single count?

pavanae
Builder

Hi

The following is my search:

index="baboon" "CouponFormHandler::handleClaimCoupon - Applying the coupon to order * Coupon code:*" |rex field=_raw " Coupon code:(?<coupon>.*)" | stats count by coupon | sort - "count" | head 10

Which Displays the result as follows

coupon             count
WINTERGOOD       14368
WINTERgood       10149
Wintergood       3971
WinterGood       213
28K115Z1           196

Now I am trying to display all the wintergood coupons as a single count, whether they use capital letters or small letters or combination of capital or small, all those coupons were applicable and I am trying to display all of them as one count without making them separate by capital or small letters. For that, how can I modify the Splunk search to display them as single count?

Please suggest me a way to display the result as I need.

1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try this to normalize the coupon name.

index="baboon" "CouponFormHandler::handleClaimCoupon - Applying the coupon to order Coupon code:" |rex field=_raw " Coupon code:(?<coupon>.*)" | eval coupon=upper(coupon) | stats count by coupon | sort - "count" | head 10
---
If this reply helps you, Karma would be appreciated.

View solution in original post

sideview
SplunkTrust
SplunkTrust

The simplest way is to just normalize all the capitalization before the stats command.

index="baboon" "CouponFormHandler::handleClaimCoupon - Applying the coupon to order Coupon code:" |rex field=_raw " Coupon code:(?<coupon>.*)" | eval coupon=lower(coupon) | stats count by coupon | sort - count | head 10

The eval function is one of the most powerful tools that you have in the Splunk search language, and the following reference page of all its functions should be kept close to hand at pretty much all times.

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions

pavanae
Builder

Thanks worked gr8.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this to normalize the coupon name.

index="baboon" "CouponFormHandler::handleClaimCoupon - Applying the coupon to order Coupon code:" |rex field=_raw " Coupon code:(?<coupon>.*)" | eval coupon=upper(coupon) | stats count by coupon | sort - "count" | head 10
---
If this reply helps you, Karma would be appreciated.

pavanae
Builder

Thanks worked gr8

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...