Getting Data In

How to configure Splunk to parse uppercase field values and make them lowercase?

renanprado96
Path Finder

I have an index that has some data entering written in uppercase and other data in lowercase, but they are about the same thing.

Here is an example:

alt text

HOTMAIL.COM It is the same as hotmail.com

I know the lower() function, but how to deal with this data before inserting them?

I tried using in the file .props this:

SEDCMD-upper2lower = s/[aA]/a/g s/[bB]/b/g s/[cC]/c/g s/[dD]/d/g s/[eE]/e/g s/[fF]/f/g s/[gG]/g/g s/[hH]/h/g s/[iI]/i/g s/j/[jJ]/g s/[kK]/k/g s/[lL]/l/g s/[mM]/m/g s/[nN]/n/g s/[oO]/o/g s/[pP]/p/g s/[qQ]/q/g s/[rR]/r/g s/[sS]/s/g s/[tT]/t/g s/[uU]/u/g s/[vV]/v/g s/[wW]/w/g s/[xX]/x/g s/[yY]/y/g s/[zZ]/z/g

but could not make it work

Thank you!!

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

You should have made an update to your original answer instead of opening a new one. In any case, the solution does work so you need to share the details of how you implemented it. What is the full path for your props.conf file? Where did you put this file (what servers)?

You need to put this on your indexers (unless you are using INDEXED_EXTRACTIONS) and you need to restart all splunk instances there. After that, the changes will only apply to data that is indexed after the restart (older events will not be effected).

View solution in original post

renanprado96
Path Finder

props.conf:

alt text
.
.
.

input.conf:

alt text
.
.

directory files:
D:\Splunk\SplunkIn\dd

0 Karma

woodcock
Esteemed Legend

You should have made an update to your original answer instead of opening a new one. In any case, the solution does work so you need to share the details of how you implemented it. What is the full path for your props.conf file? Where did you put this file (what servers)?

You need to put this on your indexers (unless you are using INDEXED_EXTRACTIONS) and you need to restart all splunk instances there. After that, the changes will only apply to data that is indexed after the restart (older events will not be effected).

woodcock
Esteemed Legend

Ah, you are using INDEXED_EXTRACTIONS. In that case, I would switch to using calculated fields which would effect post-indexed data. It should allow everything to work as you would expect but it will not change the raw data. Try this in props.conf:

[digital2_csv]
EVAL-Dominio=lower(Dominio)
0 Karma

renanprado96
Path Finder

Oh yeah, I get it.
I've tested it and it worked.
Thank you very much!!

Have a good day or night.. haha

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...