How can I make the results of a count on the user field case insensitive?
index=winevents sourcetype="WinEventLog:Security" Keywords="Audit Failure" | fields user, count
I get results like:
User:
JDoe
jdoe
MSmith
msmith
I'd rather that user field consolidate those values/
I think this is done with the eval argument, but I don't know the syntax.
I think you meant | stats count by user
rather than | fields
?
That being said, yeah - stats
is case sensitive. In fact, virtually everything in Splunk searches is case sensitive except the search
command with regards to values... so you can | search log_level="error"
and find ERROR
, but can't | search loG_level="error"
because field names are always case sensitive and can't | where log_level="error"
because it's not search
.
You can normalize field values to either lower or upper case before sending them into stats
like this:
... | eval user = lower(user) | stats count by user