Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extracted Field to be case insensitive

harshjets
Engager
‎04-08-2013 02:27 AM

Hi,
I have a
Event 1 : 2013-04-02 04:22:38 199.xx.x.211 OPTIONS /CockpitNew - 4444 domain1\123456 102.220.13.119 ebDAV-MiniRedir/6.1.7600 200 0 64 143
Event 2 : 2013-04-02 05:22:38 199.xx.x.211 OPTIONS /CockpitNew - 4444 DOMAIN1\123456 102.220.13.119 ebDAV-MiniRedir/6.1.7600 200 0 64 143
When I extract the Domain field: domain1 & DOMAIN1 come up separately.
I want both of them to be under the DOMAIN1 value.
How can I do it. The regular regex during field extraction doesn't let me.

Thanks

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-08-2013 02:36 AM

Regular expressions cannot do this. You can however define a calculated field that converts each value to upper case.

http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/definecalcfields

Reply

andreac81
Explorer
‎04-27-2017 07:38 AM

I have the same problem, I have many fields extracted with regular expression that sometimes are uppercase, other times are lowercase.
I need to define a calculated field for each filed or is some way to define only one calculated field that converts all fields in uppercase?

0 Karma
Reply

somesoni2
Revered Legend
‎04-27-2017 11:10 AM

You would need to create separate calculated field for each field whose value you want to change to upper case.

0 Karma
Reply

alemarzu
Motivator
‎04-27-2017 09:37 AM

Try this andreac, working example just copy & paste code.

| makeresults 
| eval temp="2013-04-02 04:22:38 199.xx.x.211 OPTIONS /CockpitNew - 4444 domain1\123456 102.220.13.119 ebDAV-MiniRedir/6.1.7600 200 0 64 143"."#"."2013-04-02 05:22:38 199.xx.x.211 OPTIONS /CockpitNew - 4444 DOMAIN1\123456 102.220.13.119 ebDAV-MiniRedir/6.1.7600 200 0 64 143"
| makemv delim="#" temp
| mvexpand temp
| rex field=temp max_match=0 "(?)-\s[\d]+\s(?<IMINSENSITIVE>[^\s]+)\s[\d\.]+\s"
| eval IMINSENSITIVE=lower(IMINSENSITIVE)

Hope it helps.

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...