Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I modify my stats search to count all variations of a field value with upper and lowercase text as a single count?

pavanae
Builder
‎10-14-2015 08:31 AM

Hi

The following is my search:

index="baboon" "CouponFormHandler::handleClaimCoupon - Applying the coupon to order * Coupon code:*" |rex field=_raw " Coupon code:(?<coupon>.*)" | stats count by coupon | sort - "count" | head 10

Which Displays the result as follows

coupon             count
WINTERGOOD       14368
WINTERgood       10149
Wintergood       3971
WinterGood       213
28K115Z1           196

Now I am trying to display all the wintergood coupons as a single count, whether they use capital letters or small letters or combination of capital or small, all those coupons were applicable and I am trying to display all of them as one count without making them separate by capital or small letters. For that, how can I modify the Splunk search to display them as single count?

Please suggest me a way to display the result as I need.

Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2015 08:37 AM

Try this to normalize the coupon name.

index="baboon" "CouponFormHandler::handleClaimCoupon - Applying the coupon to order Coupon code:" |rex field=_raw " Coupon code:(?<coupon>.*)" | eval coupon=upper(coupon) | stats count by coupon | sort - "count" | head 10
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎10-14-2015 08:41 AM

The simplest way is to just normalize all the capitalization before the stats command. 

index="baboon" "CouponFormHandler::handleClaimCoupon - Applying the coupon to order Coupon code:" |rex field=_raw " Coupon code:(?<coupon>.*)" | eval coupon=lower(coupon) | stats count by coupon | sort - count | head 10

The eval function is one of the most powerful tools that you have in the Splunk search language, and the following reference page of all its functions should be kept close to hand at pretty much all times.

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions

Reply
Solved! Jump to solution

pavanae
Builder
‎10-14-2015 08:53 AM

Thanks worked gr8.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2015 08:37 AM

Try this to normalize the coupon name.

index="baboon" "CouponFormHandler::handleClaimCoupon - Applying the coupon to order Coupon code:" |rex field=_raw " Coupon code:(?<coupon>.*)" | eval coupon=upper(coupon) | stats count by coupon | sort - "count" | head 10
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

pavanae
Builder
‎10-14-2015 08:53 AM

Thanks worked gr8

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...