Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I use the eval "lower" function to make a field lowercase?

IRHM73
Motivator
‎11-24-2015 12:11 AM

Hi, I wonder whether someone may be able to help me please.

I'm trying to make changes to the partial script below to make the field "inFullName" lowercase.

index=main auditSource="matching" auditType="Tx*"
 | rex "IncomingSearchRequest\(Some\((?<inNINO>[^\)]+)\),Some\((?<inFName>[^\)]+)\),Some\((?<inSName>[^\)]+)\),Some\((?<inDOB>[^\)]+)\)\)"
 | eval date=inDOB | eval inDOB=replace(inDOB,"(\d+)-(\d+)-(\d+)","\3/\2/\1") 
 | eval inFullName= inFName." ".inSName 
 | eval inFull_Details= "FullName: ".inFullName.", NINO: ".inNINO.", DOB: ".inDOB
 | makemv delim=", " inFull_Details

I've tried using | eval inFullName=lower(inFullName) at multiple points in the search, but the field fails to display any data, so somewhere along the lines I've gone wrong.

Could someone have a look at this please and let me know where I've gone wrong?

Many thanks and kind regards

Chris

Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-24-2015 05:55 AM

What values do you have for inFullName?. I just tried this and it works as expected

| gentimes start=-1 | eval inFName="Mother" | eval inSName="THeresa" | eval inFullNameUL= lower(inFName)." ".upper(inSName) | eval inFullNameL=lower(inFullNameUL) | table inFName inSName inFullNameL inFullNameUL

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-24-2015 12:00 PM

It is hard (impossible) to say without sample event data.

0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎11-24-2015 10:24 PM

Hi @woodcock, thank you for taking the time to come back to me with this. You'll see from my comment above that I was able to use the solution provided by @sundareshr.

Many thanks and kind regards

Chris

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-24-2015 05:55 AM

What values do you have for inFullName?. I just tried this and it works as expected

| gentimes start=-1 | eval inFName="Mother" | eval inSName="THeresa" | eval inFullNameUL= lower(inFName)." ".upper(inSName) | eval inFullNameL=lower(inFullNameUL) | table inFName inSName inFullNameL inFullNameUL
Reply
Solved! Jump to solution

IRHM73
Motivator
‎11-24-2015 10:23 PM

Hi @sundareshr, thank you for taking the time to reply to my post.

Could you perhaps explain to me what "gentimes start=-1" does, because when I used this I received an error message.

Anyway with some tweaks to fit in with the data I need I used | eval inFullNameL= lower(inFName)." ".lower(inSName) and it worked perfectly.

If you want to change this to an answer I can accept this.

Many thanks and kind regards

Chris

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-25-2015 06:14 AM

@IRHM73, Converted to answer. I used gentimes (http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Gentimes) only to provide a run-anywhere example. It has not relevance to your search.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...