Knowledge Management

Workflow Action "case sensitivity" question

gnovak
Builder

Hi,

I have a workflow action that creates a link to an external site based on information in a particular field and eventtype.

The problem i have noticed is that in splunk the field i have chosen for this workflow action is displayed in logs like this: 6411-CP.

This field is inserted into a URL which users can access from a link in splunk. The problem now is the link they access doesn't like the CP being capital. The link returns no results with 6411-CP but does return results with 6411-cp.

Any ideas on how to get splunk to maybe change upper case to lower case for a workflow action using a link?

Tags (1)
1 Solution

ftk
Motivator

Well I think you have a couple of ways you could go about this. If you are using the workflow action on a saved search, you could simply add an eval statement to change the field to lowercase in the results, so when the workflow action is triggered it will use the lowercase field:

your search terms | eval my_field=lower(my_field)

Alternatively, you could convert the data to lowercase at index time using SEDCMD to substitute characters.

View solution in original post

ftk
Motivator

If that answer solved your problem, can you please click the check mark next to the answer? It will mark this questions as answered and help keep the site clean.

Thanks!

0 Karma

ftk
Motivator

Well I think you have a couple of ways you could go about this. If you are using the workflow action on a saved search, you could simply add an eval statement to change the field to lowercase in the results, so when the workflow action is triggered it will use the lowercase field:

your search terms | eval my_field=lower(my_field)

Alternatively, you could convert the data to lowercase at index time using SEDCMD to substitute characters.

gnovak
Builder

That worked...thanks!

0 Karma

gnovak
Builder

I'll give that a shot.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...