I think the answer is "no" (as of Splunk Enterprise 6.4), but I thought it was worth checking, because this might affect what fields and values I send to Splunk (typically, in JSON; via TCP, or possibly HEC).
If the answer is a straightforward "no", then the rest of this question, which describes my use case, is more or less academic.
I've read, among other topics:
From that PCRE man page:
Unsupported escape sequences
In Perl, the sequences \l, \L, \u, and \U are recognized by its string handler and used to modify the case of following characters.
So, I'm not surprised that, given the following JSON input:
{"time":"2016-05-11 10:40:30.123456","type":"XYZ","code":"A1B2","some_other_field": "some_value"}
the following per-event source type override in transforms.conf
:
REGEX = \"type\":\"([^\"]+)\",\"code\":\"([^\"]+)\"
FORMAT = sourcetype::\L$1_$2
results in a sourcetype
field value of \LXYZ_A1B2
- that is, with a leading backlash and capital L - rather than the desired xyz_a1b2
.
If the answer is, as I expect, "no", then I see the following options:
type
and code
fields, send JSON with a "precanned" single field, such as event_sourcetype
, with the field value xyz_a1b2
, already in lowercase. (The event_
field name prefix is to keep the field name separate from the default sourcetype
field; yes, I've tried using the field name sourcetype in the input JSON). This would allow for a simpler source type override stanza (one matching field, one back reference).type
and code
field values as lowercase.sourcetype
field value XYZ_A1B2
.Thoughts, opinions, suggestions all welcome.
Your only option using Splunk is SEDCMD
:
http://docs.splunk.com/Documentation/Splunk/6.0/Data/Anonymizedatausingconfigurationfiles
Something like this:
SEDCMD-upper2lower_v1 = y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/
SEDCMD-upper2lower_v2 = y/[A-Z]/[a-z]/