https://community.splunk.com/t5/Getting-Data-In/Force-index-time-host-extraction-to-lower-case/m-p/38859#M7183 <P>I don't believe this is possible. There is certainly a case to be made for allowing simple transforms (e.g., simple string operations like yours, or basic arithmetic) that can not be accomplished by PCRE, but that would have to be an enhancement to the product, and has some other repercussions on searching for such transformed fields.</P> <P>I suppose in your particular case, for search purposes it's not necessary (as search is case-insenstive), and for reporting and display you can still use the <CODE>eval</CODE> <CODE>lower()</CODE> function. It does mess up <CODE>metadata</CODE> a bit, but you <EM>could</EM> resolve that by, e.g., changing the metadata search on the dashboards from </P> <PRE><CODE>| metadata type=hosts </CODE></PRE> <P>to </P> <PRE><CODE>| metadata type=hosts | eval host=lower(host) | stats sum(totalCount) as totalCount min(firstTime) as firstTime max(lastTime) as lastTime max(recentTime) as recentTime first(type) as type by host </CODE></PRE> <P>(though this might actually get <CODE>recentTime</CODE> wrong, but I doubt that's a problem in practice)</P> <P>If you're looking at a few specific hosts and specific ways they are capitalized, you could also construct a lookup table and set a combination of automatic <CODE>FIELDALIAS</CODE> and <CODE>LOOKUP</CODE> to overwrite the original <CODE>host</CODE> field. You could do it with a scripted lookup too I guess, if it's more complicated than that. This seems a little wrong to me though.</P> Sun, 29 Aug 2010 01:47:05 GMT gkanapathy 2010-08-29T01:47:05Z https://community.splunk.com/t5/Getting-Data-In/Force-index-time-host-extraction-to-lower-case/m-p/38858#M7182 <P>Is there a way to extract the hostname from an event, but force it to lower-case in the process?</P> <P>Extracting the hostname is easy enough (DEST_KEY in transforms.conf, etc.), but this doesn't account for the case.</P> <P>The SEDCMD option in props.conf would appear to be an option, but it's not clear whether 'y/[A-Z]/[a-z]/' style replacements are supported. Even if they are, using SEDCMD would modify the original event text, which is undesirable.</P> <P>The goal is normalize hostnames so that they are consistent for all events from that machine, without modifying the actual event text.</P> Sat, 28 Aug 2010 00:35:53 GMT https://community.splunk.com/t5/Getting-Data-In/Force-index-time-host-extraction-to-lower-case/m-p/38858#M7182 southeringtonp 2010-08-28T00:35:53Z https://community.splunk.com/t5/Getting-Data-In/Force-index-time-host-extraction-to-lower-case/m-p/38859#M7183 <P>I don't believe this is possible. There is certainly a case to be made for allowing simple transforms (e.g., simple string operations like yours, or basic arithmetic) that can not be accomplished by PCRE, but that would have to be an enhancement to the product, and has some other repercussions on searching for such transformed fields.</P> <P>I suppose in your particular case, for search purposes it's not necessary (as search is case-insenstive), and for reporting and display you can still use the <CODE>eval</CODE> <CODE>lower()</CODE> function. It does mess up <CODE>metadata</CODE> a bit, but you <EM>could</EM> resolve that by, e.g., changing the metadata search on the dashboards from </P> <PRE><CODE>| metadata type=hosts </CODE></PRE> <P>to </P> <PRE><CODE>| metadata type=hosts | eval host=lower(host) | stats sum(totalCount) as totalCount min(firstTime) as firstTime max(lastTime) as lastTime max(recentTime) as recentTime first(type) as type by host </CODE></PRE> <P>(though this might actually get <CODE>recentTime</CODE> wrong, but I doubt that's a problem in practice)</P> <P>If you're looking at a few specific hosts and specific ways they are capitalized, you could also construct a lookup table and set a combination of automatic <CODE>FIELDALIAS</CODE> and <CODE>LOOKUP</CODE> to overwrite the original <CODE>host</CODE> field. You could do it with a scripted lookup too I guess, if it's more complicated than that. This seems a little wrong to me though.</P> Sun, 29 Aug 2010 01:47:05 GMT https://community.splunk.com/t5/Getting-Data-In/Force-index-time-host-extraction-to-lower-case/m-p/38859#M7183 gkanapathy 2010-08-29T01:47:05Z https://community.splunk.com/t5/Getting-Data-In/Force-index-time-host-extraction-to-lower-case/m-p/38860#M7184 <P>gkanapathy is correct here. Although SEDCMD can perform y///g substitutions, it's only on _raw and not on any other fields.</P> Sun, 29 Aug 2010 04:49:39 GMT https://community.splunk.com/t5/Getting-Data-In/Force-index-time-host-extraction-to-lower-case/m-p/38860#M7184 Stephen_Sorkin 2010-08-29T04:49:39Z