Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to configure Splunk to parse uppercase field values and make them lowercase?

renanprado96
Path Finder
‎06-30-2016 06:58 AM

I have an index that has some data entering written in uppercase and other data in lowercase, but they are about the same thing.

Here is an example:

alt text

HOTMAIL.COM It is the same as hotmail.com

I know the lower() function, but how to deal with this data before inserting them?

I tried using in the file .props this:

SEDCMD-upper2lower = s/[aA]/a/g s/[bB]/b/g s/[cC]/c/g s/[dD]/d/g s/[eE]/e/g s/[fF]/f/g s/[gG]/g/g s/[hH]/h/g s/[iI]/i/g s/j/[jJ]/g s/[kK]/k/g s/[lL]/l/g s/[mM]/m/g s/[nN]/n/g s/[oO]/o/g s/[pP]/p/g s/[qQ]/q/g s/[rR]/r/g s/[sS]/s/g s/[tT]/t/g s/[uU]/u/g s/[vV]/v/g s/[wW]/w/g s/[xX]/x/g s/[yY]/y/g s/[zZ]/z/g

but could not make it work

Thank you!!

Tags (2)
Preview file
28 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-30-2016 07:12 AM

You should have made an update to your original answer instead of opening a new one. In any case, the solution does work so you need to share the details of how you implemented it. What is the full path for your props.conf file? Where did you put this file (what servers)?

You need to put this on your indexers (unless you are using INDEXED_EXTRACTIONS) and you need to restart all splunk instances there. After that, the changes will only apply to data that is indexed after the restart (older events will not be effected).

View solution in original post

Reply
Solved! Jump to solution

renanprado96
Path Finder
‎06-30-2016 10:43 AM

props.conf:

alt text
.
.
.

input.conf:

alt text
.
.

directory files:
D:\Splunk\SplunkIn\dd

Preview file
78 KB
Preview file
48 KB
0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-30-2016 07:12 AM

You should have made an update to your original answer instead of opening a new one. In any case, the solution does work so you need to share the details of how you implemented it. What is the full path for your props.conf file? Where did you put this file (what servers)?

You need to put this on your indexers (unless you are using INDEXED_EXTRACTIONS) and you need to restart all splunk instances there. After that, the changes will only apply to data that is indexed after the restart (older events will not be effected).

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-30-2016 11:16 AM

Ah, you are using INDEXED_EXTRACTIONS. In that case, I would switch to using calculated fields which would effect post-indexed data. It should allow everything to work as you would expect but it will not change the raw data. Try this in props.conf:

[digital2_csv]
EVAL-Dominio=lower(Dominio)
0 Karma
Reply
Solved! Jump to solution

renanprado96
Path Finder
‎06-30-2016 11:37 AM

Oh yeah, I get it.
I've tested it and it worked.
Thank you very much!!

Have a good day or night.. haha

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...