Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Dataset regexed field to uppercase
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dataset regexed field to uppercase
Hello.
I have a dataset with a regular expression where i extract the hostname of the computer to a hostname variable.
However, in the searches i base this on, a lower case hostname does not work.
How can I add a simple eval to the dataset that does | eval hostname=upper(hostname) ?
(The error I get when i try to do this in the GUI is Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr])
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That error is what you get when a subsearch returns no values.
If you show us the actual search where you are trying to use it, we can help debug what is occurring.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the base event is just a regular cookie-cutter index=abc sourcetype=defg
There are a number of auto extracted fields in the data set, and one regular expression which extracts the hostname from a certain field in the dataset. The hostname is typed manually and sometimes is input in lowercase. When the field is extracted and additional logic is applied to the lowercase hostname, things break.
So the search is kind of irrelevant, since apparently I cant do |eval hostname=upper(hostname) in the web gui for the data set, no matter what type of field extraction I choose.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@christoffertoft can you add some sample data and also your query?
If you are using where and lowercase hostname does not work can you replace where with search which should do case insensitive match.
Ideally, | eval hostname=upper(hostname) should work. Refer to following run anywhere search.
| makeresults
| eval hostname="abc123"
| eval hostname=upper(hostname)
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know, this is not a question about whether it works or not, it's just that it cant do it in the dataset in the GUI.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
