- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I use the eval "lower" function to make a f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I wonder whether someone may be able to help me please.
I'm trying to make changes to the partial script below to make the field "inFullName" lowercase.
index=main auditSource="matching" auditType="Tx*"
| rex "IncomingSearchRequest\(Some\((?<inNINO>[^\)]+)\),Some\((?<inFName>[^\)]+)\),Some\((?<inSName>[^\)]+)\),Some\((?<inDOB>[^\)]+)\)\)"
| eval date=inDOB | eval inDOB=replace(inDOB,"(\d+)-(\d+)-(\d+)","\3/\2/\1")
| eval inFullName= inFName." ".inSName
| eval inFull_Details= "FullName: ".inFullName.", NINO: ".inNINO.", DOB: ".inDOB
| makemv delim=", " inFull_Details
I've tried using | eval inFullName=lower(inFullName) at multiple points in the search, but the field fails to display any data, so somewhere along the lines I've gone wrong.
Could someone have a look at this please and let me know where I've gone wrong?
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What values do you have for inFullName?. I just tried this and it works as expected
| gentimes start=-1 | eval inFName="Mother" | eval inSName="THeresa" | eval inFullNameUL= lower(inFName)." ".upper(inSName) | eval inFullNameL=lower(inFullNameUL) | table inFName inSName inFullNameL inFullNameUL
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is hard (impossible) to say without sample event data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @woodcock, thank you for taking the time to come back to me with this. You'll see from my comment above that I was able to use the solution provided by @sundareshr.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What values do you have for inFullName?. I just tried this and it works as expected
| gentimes start=-1 | eval inFName="Mother" | eval inSName="THeresa" | eval inFullNameUL= lower(inFName)." ".upper(inSName) | eval inFullNameL=lower(inFullNameUL) | table inFName inSName inFullNameL inFullNameUL
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sundareshr, thank you for taking the time to reply to my post.
Could you perhaps explain to me what "gentimes start=-1" does, because when I used this I received an error message.
Anyway with some tweaks to fit in with the data I need I used | eval inFullNameL= lower(inFName)." ".lower(inSName) and it worked perfectly.
If you want to change this to an answer I can accept this.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@IRHM73, Converted to answer. I used gentimes (http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Gentimes) only to provide a run-anywhere example. It has not relevance to your search.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
