Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I use the eval "lower" function to make...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I wonder whether someone may be able to help me please.
I'm trying to make changes to the partial script below to make the field "inFullName" lowercase.
index=main auditSource="matching" auditType="Tx*"
| rex "IncomingSearchRequest\(Some\((?<inNINO>[^\)]+)\),Some\((?<inFName>[^\)]+)\),Some\((?<inSName>[^\)]+)\),Some\((?<inDOB>[^\)]+)\)\)"
| eval date=inDOB | eval inDOB=replace(inDOB,"(\d+)-(\d+)-(\d+)","\3/\2/\1")
| eval inFullName= inFName." ".inSName
| eval inFull_Details= "FullName: ".inFullName.", NINO: ".inNINO.", DOB: ".inDOB
| makemv delim=", " inFull_Details
I've tried using | eval inFullName=lower(inFullName) at multiple points in the search, but the field fails to display any data, so somewhere along the lines I've gone wrong.
Could someone have a look at this please and let me know where I've gone wrong?
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What values do you have for inFullName?. I just tried this and it works as expected
| gentimes start=-1 | eval inFName="Mother" | eval inSName="THeresa" | eval inFullNameUL= lower(inFName)." ".upper(inSName) | eval inFullNameL=lower(inFullNameUL) | table inFName inSName inFullNameL inFullNameUL
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is hard (impossible) to say without sample event data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @woodcock, thank you for taking the time to come back to me with this. You'll see from my comment above that I was able to use the solution provided by @sundareshr.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What values do you have for inFullName?. I just tried this and it works as expected
| gentimes start=-1 | eval inFName="Mother" | eval inSName="THeresa" | eval inFullNameUL= lower(inFName)." ".upper(inSName) | eval inFullNameL=lower(inFullNameUL) | table inFName inSName inFullNameL inFullNameUL
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sundareshr, thank you for taking the time to reply to my post.
Could you perhaps explain to me what "gentimes start=-1" does, because when I used this I received an error message.
Anyway with some tweaks to fit in with the data I need I used | eval inFullNameL= lower(inFName)." ".lower(inSName) and it worked perfectly.
If you want to change this to an answer I can accept this.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@IRHM73, Converted to answer. I used gentimes (http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Gentimes) only to provide a run-anywhere example. It has not relevance to your search.
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
