Getting Data In

How to configure Splunk to parse uppercase field values and make them lowercase?

renanprado96
Path Finder

I have an index that has some data entering written in uppercase and other data in lowercase, but they are about the same thing.

Here is an example:

alt text

HOTMAIL.COM It is the same as hotmail.com

I know the lower() function, but how to deal with this data before inserting them?

I tried using in the file .props this:

SEDCMD-upper2lower = s/[aA]/a/g s/[bB]/b/g s/[cC]/c/g s/[dD]/d/g s/[eE]/e/g s/[fF]/f/g s/[gG]/g/g s/[hH]/h/g s/[iI]/i/g s/j/[jJ]/g s/[kK]/k/g s/[lL]/l/g s/[mM]/m/g s/[nN]/n/g s/[oO]/o/g s/[pP]/p/g s/[qQ]/q/g s/[rR]/r/g s/[sS]/s/g s/[tT]/t/g s/[uU]/u/g s/[vV]/v/g s/[wW]/w/g s/[xX]/x/g s/[yY]/y/g s/[zZ]/z/g

but could not make it work

Thank you!!

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

You should have made an update to your original answer instead of opening a new one. In any case, the solution does work so you need to share the details of how you implemented it. What is the full path for your props.conf file? Where did you put this file (what servers)?

You need to put this on your indexers (unless you are using INDEXED_EXTRACTIONS) and you need to restart all splunk instances there. After that, the changes will only apply to data that is indexed after the restart (older events will not be effected).

View solution in original post

renanprado96
Path Finder

props.conf:

alt text
.
.
.

input.conf:

alt text
.
.

directory files:
D:\Splunk\SplunkIn\dd

0 Karma

woodcock
Esteemed Legend

You should have made an update to your original answer instead of opening a new one. In any case, the solution does work so you need to share the details of how you implemented it. What is the full path for your props.conf file? Where did you put this file (what servers)?

You need to put this on your indexers (unless you are using INDEXED_EXTRACTIONS) and you need to restart all splunk instances there. After that, the changes will only apply to data that is indexed after the restart (older events will not be effected).

woodcock
Esteemed Legend

Ah, you are using INDEXED_EXTRACTIONS. In that case, I would switch to using calculated fields which would effect post-indexed data. It should allow everything to work as you would expect but it will not change the raw data. Try this in props.conf:

[digital2_csv]
EVAL-Dominio=lower(Dominio)
0 Karma

renanprado96
Path Finder

Oh yeah, I get it.
I've tested it and it worked.
Thank you very much!!

Have a good day or night.. haha

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...