Splunk Search

Use of upper/lower

smanganiello_sp
Splunk Employee
Splunk Employee

Other than making reports more readable, are there other reasons to use the upper/lower function of eval?

Tags (1)
0 Karma

jhall_101215
Explorer
  • OK, this is an old question but still could benefit from another answer. Try these sample use-cases to help explain some of the value in this command.
  1. Lookup table case-sensitivity issues: If your lookup isn't supporting case_sensitive_match=false (in transforms.conf), you can use eval to set your field-values to match the 'case' of what a Lookup table entries.

  2. Character legibility: Some tables, stats, reports, etc. can cause one to confuse certain number-letter combinations (such as you might see in a host_name). In this case, one might consider using eval with 'upper' to help distinguish the characters displayed.

  3. Better as eye-candy: E.G. "IF", most values in a table may be all UPPER cased, except for one. Now, you have an inconsistent view (..a Sesame Street condition: one of these is not like the other). So, using eval with 'upper', you can now set the last remaining field values to be consistent with the rest of the report. Same goes for using lower in the opposite condition.

    • .. | eval MyField=upper(MyField)
  4. Business use-case: Your organization may mandate certain 'case' usage in various reports, etc.

  5. Personal preference: You just want to see the other case used.

  6. Sentence Case option: Using an additional PARAM in eval ('substr'), you could make the value proper Sentence Case, based on the pre-existing value and your need(s). Below is an example:

  • Situation: You are ingesting a log were the status={SomeWord} is being added. After you review the logs in Splunk, you notice the developers accidentally used the wrong-case (let's assume caps lock was on) and you get this, instead: status=eRROR. That looks horrible, here is one way to fix it.
    • .. | eval status=upper(substr(status,1,1)).lower(substr(status,2))
0 Karma

Ayn
Legend

It depends entirely on your use-case. Is there a specific reason for asking the question? If you don't know what you'd need upper/lower for, you won't need it either. There are a range of situations I could think of where it could prove useful - using upper/lower for being able to compare mixed-case value comes to mind for instance.

0 Karma

Ayn
Legend

The way I see it you're asking the question a bit backwards. What the function does is explained in the docs. What you can use it for is - like any functions in any programming language and other - entirely up to you.

0 Karma

smanganiello_sp
Splunk Employee
Splunk Employee

Well, if I do not know what the possible uses for the command are, then it is hard to use it. Which is why I asked the question. Using it to compare mixed case values is a good example.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...