Splunk Search

How to change a input text field to upper case and search for the changed value

vamshi245
New Member

I have a form, which has a text field for users to enter the orderid. users can enter in lower case or upper case. The OrderID is stored in upper case in splunk.

so I want to change the input text field to upper case and perform the search.

Below is my search query

index=<myindex>  sourcetype="mysource"  (SERVICE="ORDERS" AND  ORDERID=*$OrderID$*   )| stats count

Below is the dashboard text field

<input type="text" token="OrderNumber" searchWhenChanged="true">
      <label>Check Status of an Order or EXTID</label>
     </input>

i tried changing the query to

index=<myindex>  sourcetype="mysource"  (SERVICE="ORDERS" AND  ORDERID=*upper($OrderID$)*   )| stats count

but that didnt work.

Any help is appreciated. Thanks in Advance

Tags (2)
0 Karma
1 Solution

niketn
Legend

When you add ORDERID filter in main search (i.e. first pipe with index=), the search performed is case independent i.e.
ORDERID="ABCD" is same as ORDERID="abcd".

If you want to force ORDERID to be case sensitive (Same goes for SERVICE="ORDERS" as well if you want upper case), you would need to add it as a where condition after first pipe i.e.

index=<myindex>  sourcetype="mysource"  | where (SERVICE="ORDERS" AND  ORDERID="upper($OrderID$)"   ) | stats count

PS: For better search performance search filters should be applied before first pipe and not through where condition.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

When you add ORDERID filter in main search (i.e. first pipe with index=), the search performed is case independent i.e.
ORDERID="ABCD" is same as ORDERID="abcd".

If you want to force ORDERID to be case sensitive (Same goes for SERVICE="ORDERS" as well if you want upper case), you would need to add it as a where condition after first pipe i.e.

index=<myindex>  sourcetype="mysource"  | where (SERVICE="ORDERS" AND  ORDERID="upper($OrderID$)"   ) | stats count

PS: For better search performance search filters should be applied before first pipe and not through where condition.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

vamshi245
New Member

thanks. i was not sure the search will be case insensitive. i figured that out and it is working now

0 Karma

rjthibod
Champion

Like @someson2 said, the base search is case-insensitive by default. However, it looks like you are using the wrong token.

The input field you pasted uses the token name "OrderNumber" and not "OrderID" (see token="OrderNumber"). If that is the case, your search should be the following:

index=<myindex>  sourcetype="mysource"  (SERVICE="ORDERS" AND  ORDERID=*$OrderNumber$* ) | stats count

Just a caveat, base searches use implied AND logic, so you could get rid of the parenthesis too.

index=<myindex>  sourcetype="mysource"  SERVICE="ORDERS" ORDERID=*$OrderNumber$*  | stats count
0 Karma

somesoni2
Revered Legend

What version of Splunk you're in?

Also, you're using the OrderID token in based search where case-insensitive match is done, so do you really need to change the case? It should be working fine anyways.

0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...