Splunk Search

How can I modify my stats search to count all variations of a field value with upper and lowercase text as a single count?

pavanae
Builder

Hi

The following is my search:

index="baboon" "CouponFormHandler::handleClaimCoupon - Applying the coupon to order * Coupon code:*" |rex field=_raw " Coupon code:(?<coupon>.*)" | stats count by coupon | sort - "count" | head 10

Which Displays the result as follows

coupon             count
WINTERGOOD       14368
WINTERgood       10149
Wintergood       3971
WinterGood       213
28K115Z1           196

Now I am trying to display all the wintergood coupons as a single count, whether they use capital letters or small letters or combination of capital or small, all those coupons were applicable and I am trying to display all of them as one count without making them separate by capital or small letters. For that, how can I modify the Splunk search to display them as single count?

Please suggest me a way to display the result as I need.

1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try this to normalize the coupon name.

index="baboon" "CouponFormHandler::handleClaimCoupon - Applying the coupon to order Coupon code:" |rex field=_raw " Coupon code:(?<coupon>.*)" | eval coupon=upper(coupon) | stats count by coupon | sort - "count" | head 10
---
If this reply helps you, Karma would be appreciated.

View solution in original post

sideview
SplunkTrust
SplunkTrust

The simplest way is to just normalize all the capitalization before the stats command.

index="baboon" "CouponFormHandler::handleClaimCoupon - Applying the coupon to order Coupon code:" |rex field=_raw " Coupon code:(?<coupon>.*)" | eval coupon=lower(coupon) | stats count by coupon | sort - count | head 10

The eval function is one of the most powerful tools that you have in the Splunk search language, and the following reference page of all its functions should be kept close to hand at pretty much all times.

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions

pavanae
Builder

Thanks worked gr8.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this to normalize the coupon name.

index="baboon" "CouponFormHandler::handleClaimCoupon - Applying the coupon to order Coupon code:" |rex field=_raw " Coupon code:(?<coupon>.*)" | eval coupon=upper(coupon) | stats count by coupon | sort - "count" | head 10
---
If this reply helps you, Karma would be appreciated.

pavanae
Builder

Thanks worked gr8

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...