I have an index that has some data entering written in uppercase and other data in lowercase, but they are about the same thing.
Here is an example:
HOTMAIL.COM
It is the same as hotmail.com
I know the lower()
function, but how to deal with this data before inserting them?
Thank you!!
You can convert before it is indexed with `SEDCMD:
SEDCMD-upper2lower = s/[aA]/a/g s/[bB]/b/g s/[cC]/c/g s/[dD]/d/g s/[eE]/e/g s/[fF]/f/g s/[gG]/g/g s/[hH]/h/g s/[iI]/i/g s/j/[jJ]/g s/[kK]/k/g s/[lL]/l/g s/[mM]/m/g s/[nN]/n/g s/[oO]/o/g s/[pP]/p/g s/[qQ]/q/g s/[rR]/r/g s/[sS]/s/g s/[tT]/t/g s/[uU]/u/g s/[vV]/v/g s/[wW]/w/g s/[xX]/x/g s/[yY]/y/g s/[zZ]/z/g
You can convert before it is indexed with `SEDCMD:
SEDCMD-upper2lower = s/[aA]/a/g s/[bB]/b/g s/[cC]/c/g s/[dD]/d/g s/[eE]/e/g s/[fF]/f/g s/[gG]/g/g s/[hH]/h/g s/[iI]/i/g s/j/[jJ]/g s/[kK]/k/g s/[lL]/l/g s/[mM]/m/g s/[nN]/n/g s/[oO]/o/g s/[pP]/p/g s/[qQ]/q/g s/[rR]/r/g s/[sS]/s/g s/[tT]/t/g s/[uU]/u/g s/[vV]/v/g s/[wW]/w/g s/[xX]/x/g s/[yY]/y/g s/[zZ]/z/g
I put it in props.conf? input.conf? or not?
Props.conf on your Indexers and each splunk instance will need to be restarted.