Hi, I wonder whether someone may be able to help me please.
I'm trying to make changes to the partial script below to make the field "inFullName" lowercase.
index=main auditSource="matching" auditType="Tx*"
| rex "IncomingSearchRequest\(Some\((?<inNINO>[^\)]+)\),Some\((?<inFName>[^\)]+)\),Some\((?<inSName>[^\)]+)\),Some\((?<inDOB>[^\)]+)\)\)"
| eval date=inDOB | eval inDOB=replace(inDOB,"(\d+)-(\d+)-(\d+)","\3/\2/\1")
| eval inFullName= inFName." ".inSName
| eval inFull_Details= "FullName: ".inFullName.", NINO: ".inNINO.", DOB: ".inDOB
| makemv delim=", " inFull_Details
I've tried using | eval inFullName=lower(inFullName)
at multiple points in the search, but the field fails to display any data, so somewhere along the lines I've gone wrong.
Could someone have a look at this please and let me know where I've gone wrong?
Many thanks and kind regards
Chris
What values do you have for inFullName
?. I just tried this and it works as expected
| gentimes start=-1 | eval inFName="Mother" | eval inSName="THeresa" | eval inFullNameUL= lower(inFName)." ".upper(inSName) | eval inFullNameL=lower(inFullNameUL) | table inFName inSName inFullNameL inFullNameUL
It is hard (impossible) to say without sample event data.
Hi @woodcock, thank you for taking the time to come back to me with this. You'll see from my comment above that I was able to use the solution provided by @sundareshr.
Many thanks and kind regards
Chris
What values do you have for inFullName
?. I just tried this and it works as expected
| gentimes start=-1 | eval inFName="Mother" | eval inSName="THeresa" | eval inFullNameUL= lower(inFName)." ".upper(inSName) | eval inFullNameL=lower(inFullNameUL) | table inFName inSName inFullNameL inFullNameUL
Hi @sundareshr, thank you for taking the time to reply to my post.
Could you perhaps explain to me what "gentimes start=-1" does, because when I used this I received an error message.
Anyway with some tweaks to fit in with the data I need I used | eval inFullNameL= lower(inFName)." ".lower(inSName) and it worked perfectly.
If you want to change this to an answer I can accept this.
Many thanks and kind regards
Chris
@IRHM73, Converted to answer. I used gentimes (http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Gentimes) only to provide a run-anywhere example. It has not relevance to your search.