How to use a look up in q query with lower case to...

HenryFitzerald · ‎11-05-2018

Hi ,I am new to Splunk could I please ask any assistance.
I have two tokens in a user interface which vary depending on chosen drop down box values.
Example
$enter_feature_tok$ =CAA
$service_family_tok$=GMM

But I need to use chosen token values in a query to look up a table f s but the lookup variables is in lowercase not uppercase CAA and GMM.
Text in query is => "lookup tp_gmm_cca_digital_map" . You see gmm and cca.

I wanted to substitute gmm with lower case tokens=> lower($enter_feature_tok$) which has a current value GMM by saying lower($service_family_tok$ ) to give me "gmm" and same for
CAA by saying lower($enter_feature_tok$ ) to give me "caa" and appending the lowercase tokens so it becomes as =>tp_lower($service_family_tok$)lower($enter_feature_tok$)_telnet_map
in query resulting in => "tp_lower($service_family_tok$)_lower($enter_feature_tok$)_telnet_map"
The only constants are "tp" and "_telnet_map"
But it did not work could anyone please assist or suggest ,much appreciated.

martin_mueller · ‎11-05-2018

Make the lookup case insensitive via its transforms.conf entry or settings -> lookups -> lookup definitions -> that lookup -> somethingsomethingcaseinsensitiveyou'llfindit.

How to use a look up in q query with lower case tokens appended .

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?