Splunk Search

How do I use the eval "lower" function to make a field lowercase?

IRHM73
Motivator

Hi, I wonder whether someone may be able to help me please.

I'm trying to make changes to the partial script below to make the field "inFullName" lowercase.

index=main auditSource="matching" auditType="Tx*"
 | rex "IncomingSearchRequest\(Some\((?<inNINO>[^\)]+)\),Some\((?<inFName>[^\)]+)\),Some\((?<inSName>[^\)]+)\),Some\((?<inDOB>[^\)]+)\)\)"
 | eval date=inDOB | eval inDOB=replace(inDOB,"(\d+)-(\d+)-(\d+)","\3/\2/\1") 
 | eval inFullName= inFName." ".inSName 
 | eval inFull_Details= "FullName: ".inFullName.", NINO: ".inNINO.", DOB: ".inDOB
 | makemv delim=", " inFull_Details

I've tried using | eval inFullName=lower(inFullName) at multiple points in the search, but the field fails to display any data, so somewhere along the lines I've gone wrong.

Could someone have a look at this please and let me know where I've gone wrong?

Many thanks and kind regards

Chris

1 Solution

sundareshr
Legend

What values do you have for inFullName?. I just tried this and it works as expected

| gentimes start=-1 | eval inFName="Mother" | eval inSName="THeresa" | eval inFullNameUL= lower(inFName)." ".upper(inSName) | eval inFullNameL=lower(inFullNameUL) | table inFName inSName inFullNameL inFullNameUL

View solution in original post

woodcock
Esteemed Legend

It is hard (impossible) to say without sample event data.

0 Karma

IRHM73
Motivator

Hi @woodcock, thank you for taking the time to come back to me with this. You'll see from my comment above that I was able to use the solution provided by @sundareshr.

Many thanks and kind regards

Chris

0 Karma

sundareshr
Legend

What values do you have for inFullName?. I just tried this and it works as expected

| gentimes start=-1 | eval inFName="Mother" | eval inSName="THeresa" | eval inFullNameUL= lower(inFName)." ".upper(inSName) | eval inFullNameL=lower(inFullNameUL) | table inFName inSName inFullNameL inFullNameUL

IRHM73
Motivator

Hi @sundareshr, thank you for taking the time to reply to my post.

Could you perhaps explain to me what "gentimes start=-1" does, because when I used this I received an error message.

Anyway with some tweaks to fit in with the data I need I used | eval inFullNameL= lower(inFName)." ".lower(inSName) and it worked perfectly.

If you want to change this to an answer I can accept this.

Many thanks and kind regards

Chris

0 Karma

sundareshr
Legend

@IRHM73, Converted to answer. I used gentimes (http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Gentimes) only to provide a run-anywhere example. It has not relevance to your search.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...