https://community.splunk.com/t5/Splunk-Search/How-to-ignore-case-and-remove-characters/m-p/460971#M130044 <P>Once I figured out the single quote issue above your solution worked great! Thank you!</P> Tue, 22 Oct 2019 21:00:16 GMT rmhughes 2019-10-22T21:00:16Z https://community.splunk.com/t5/Splunk-Search/How-to-ignore-case-and-remove-characters/m-p/460967#M130040 <P>I occasionally use Splunk as part of my job to research issues, but am very much a novice. The query below charts the stored procedures and maps their average run times (and it works).</P> <PRE><CODE>index=X sourcetype IN Y source IN Z | spath "TotalDuration" | search "TotalDuration"="*" | chart avg(TotalDuration) as average over ProcName </CODE></PRE> <P>The issue I'm running into is that the procs may be called with slight variations, such as:<BR /> sp_DoAThing<BR /> sp_doathing<BR /> [sp_doathing]</P> <P>What I'd like to do is ignore case and remove brackets, so that all three of the examples above return as one proc with one average duration, instead of three. It says I don't have enough karma points to post links so I can't share the similar questions I've read through, but the answers I've seen (for ignoring case) seem as simple as,</P> <PRE><CODE>| eval ProcName = lower(ProcName) </CODE></PRE> <P>but I have tried that in many locations and many variations and cannot get it to work. Any help would be greatly appreciated.</P> Wed, 30 Sep 2020 02:37:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-ignore-case-and-remove-characters/m-p/460967#M130040 rmhughes 2020-09-30T02:37:53Z https://community.splunk.com/t5/Splunk-Search/How-to-ignore-case-and-remove-characters/m-p/460968#M130041 <P>You're on the right track with <CODE>lower</CODE> to normalize case. I'm interested in what you get when you try it.<BR /> Removing brackets is done with the <CODE>trim</CODE> function.</P> <PRE><CODE> index=X sourcetype IN Y source IN Z | spath "TotalDuration" | search "TotalDuration"="*" | eval ProcName=trim(lower(ProcName),"[]") | chart avg(TotalDuration) as average over ProcName </CODE></PRE> Tue, 15 Oct 2019 23:58:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-ignore-case-and-remove-characters/m-p/460968#M130041 richgalloway 2019-10-15T23:58:17Z https://community.splunk.com/t5/Splunk-Search/How-to-ignore-case-and-remove-characters/m-p/460969#M130042 <P>For some reason this doesn't work for me:</P> <PRE><CODE>| eval ProcName = lower(ProcName) </CODE></PRE> <P>It tells me no results are found. I simplified the Proc Name field for the purposes of asking the question. The actual field name is more like:</P> <PRE><CODE>| eval A.B.C = lower(A.B.C) </CODE></PRE> <P>Is it possible the periods are messing with it?</P> Tue, 22 Oct 2019 20:51:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-ignore-case-and-remove-characters/m-p/460969#M130042 rmhughes 2019-10-22T20:51:55Z https://community.splunk.com/t5/Splunk-Search/How-to-ignore-case-and-remove-characters/m-p/460970#M130043 <P>Yup... that was it. I needed to put single quotes around it.</P> Tue, 22 Oct 2019 20:56:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-ignore-case-and-remove-characters/m-p/460970#M130043 rmhughes 2019-10-22T20:56:23Z https://community.splunk.com/t5/Splunk-Search/How-to-ignore-case-and-remove-characters/m-p/460971#M130044 <P>Once I figured out the single quote issue above your solution worked great! Thank you!</P> Tue, 22 Oct 2019 21:00:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-ignore-case-and-remove-characters/m-p/460971#M130044 rmhughes 2019-10-22T21:00:16Z