Splunk Search
Highlighted

Capitalize every word of field in search results

Motivator

I have a list of Cities in a field that are all lower case.
Is there a way to capitalize them in search?
Example:
los angeles needs to be Los Angeles
kansas city needs to be Kansas City
new york city needs to be New York City
san francisco needs to be San Francisco

Also need this for names too.. i have JOHN SMITH.. and JOHN R SMITH for example that need to be John Smith and John R Smith

Tags (3)
Highlighted

Re: Capitalize every word of field in search results

Legend

Do you mean that the search results should be converted or that you have some kind of search input that needs to be converted?

0 Karma
Highlighted

Re: Capitalize every word of field in search results

Motivator

search results, so if possible use of eval etc.

0 Karma
Highlighted

Re: Capitalize every word of field in search results

Ultra Champion

Not that I've tried it (yet), but I assume that a fieldX that holds an arbitrary string like in your examples could be formatted like so;

... | eval fieldX = lower(fieldX) | makemv delim=" " fieldX | mvexpand fieldX | eval A = substr(fieldX, 1, 1) | eval B = substr(fieldX,2) | eval A = upper(A) | eval fieldX = A.B | fields - A, B | mvcombine fieldX | eval fieldX = mvjoin(fieldX, " ")

maybe..

EDIT: Needed to remove the temp fields in order for the mvcombine to work

View solution in original post

Highlighted

Re: Capitalize every word of field in search results

Ultra Champion

tested and works with the following strings in fieldX;

all work and no play makes jack a dull boy
ALL WORK AND NO PLAY MAKES JACK A DULL BOY
ALL wORK anD NO pLaY MaKeS JACk a dull bOy

they all come out as

All Work And No Play Makes Jack A Dull Boy

/k

0 Karma
Highlighted

Re: Capitalize every word of field in search results

Ultra Champion

It seems rather inefficient, and it probably is. However, since the string can be 1, 2, 3 or n words long, it's safest to build it like this, since (AFAIK) there is no foreach() functionality that can operate on the different values of a multivalued field directly. Or on the (single valued) field with a multiword string either for that matter.

/K

0 Karma
Highlighted

Re: Capitalize every word of field in search results

Path Finder

If you want to avoid mvexpand/mvcombine (which have performance and capping risks), try this...

| makeresults | eval str="JOHN SMITH new york city dEvOnShIrE" 
| eval str=lower(str)
| rex mode=sed field=str "s/^([a-z])/__\1__/ s/ ([a-z])/ __\1__/g s/__a__/A/g s/__b__/B/g s/__c__/C/g s/__d__/D/g s/__e__/E/g s/__f__/F/g s/__g__/G/g s/__h__/H/g s/__i__/I/g s/__j__/J/g s/__k__/K/g s/__l__/L/g s/__m__/M/g s/__n__/N/g s/__o__/O/g s/__p__/P/g s/__q__/Q/g s/__r__/R/g s/__s__/S/g s/__t__/T/g s/__u__/U/g s/__v__/V/g s/__w__/W/g s/__x__/X/g s/__y__/Y/g s/__z__/Z/g"

Not the prettiest, but reasonably efficient, I'd guess.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.