Solved: What should be added to my search to convert all t...

pavanae · ‎10-19-2017

I have a Splunk query as follows

| inputlookup hosts.csv | rename Hostname as my_hostname |rex mode=sed field=my_hostname "s/..*//g

Now what should be added to my query to convert all the results to be lower case.

cmerriman · ‎10-19-2017

|eval my_hostname=lower(my_hostname)

http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/TextFunctions

View solution in original post

kamlesh_vaghela · ‎10-20-2017

Hi pavanae,

can you please try it?

| foreach "*" [eval <<FIELD>>=lower('<<FIELD>>') ]

Thanks

dflodstrom · ‎10-20-2017

This definitely works even if you just use lower(<<FIELD>>)

You could be silly and make everything lowercase too: | eval _raw=lower(_raw)

kamlesh_vaghela · ‎10-21-2017

Hi dflodstrom ,

Yes lower(<<FIELD>>) works but I don't think so | eval _raw=lower(_raw) will work on those fields which are extracting search time. All search time extraction will be done when search before the first Pipe (|) will execute. Even we change _raw after the first Pipe(|) the extracted fields will be the same.

For an example. Please check output of below search:

index=_internal   component=HTTPAuthManager | eval _raw=lower(_raw)  | stats  count by component, log_level,message

Thanks

gcusello · ‎10-20-2017

Hi pavanae,
if I correctly understood:

| inputlookup hosts.csv 
| eval my_hostname=upper(Hostname) 
| rex mode=sed field=my_hostname "s/..*//g"

Bye.
Giuseppe

cmerriman · ‎10-19-2017

|eval my_hostname=lower(my_hostname)

http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/TextFunctions

dflodstrom · ‎10-20-2017

This is the easiest way to solve your specific issue.

What should be added to my search to convert all the results to be lower case?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!