- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to change a input text field to upper case...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a form, which has a text field for users to enter the orderid. users can enter in lower case or upper case. The OrderID is stored in upper case in splunk.
so I want to change the input text field to upper case and perform the search.
Below is my search query
index=<myindex> sourcetype="mysource" (SERVICE="ORDERS" AND ORDERID=*$OrderID$* )| stats count
Below is the dashboard text field
<input type="text" token="OrderNumber" searchWhenChanged="true">
<label>Check Status of an Order or EXTID</label>
</input>
i tried changing the query to
index=<myindex> sourcetype="mysource" (SERVICE="ORDERS" AND ORDERID=*upper($OrderID$)* )| stats count
but that didnt work.
Any help is appreciated. Thanks in Advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you add ORDERID filter in main search (i.e. first pipe with index=), the search performed is case independent i.e.
ORDERID="ABCD" is same as ORDERID="abcd".
If you want to force ORDERID to be case sensitive (Same goes for SERVICE="ORDERS" as well if you want upper case), you would need to add it as a where condition after first pipe i.e.
index=<myindex> sourcetype="mysource" | where (SERVICE="ORDERS" AND ORDERID="upper($OrderID$)" ) | stats count
PS: For better search performance search filters should be applied before first pipe and not through where condition.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you add ORDERID filter in main search (i.e. first pipe with index=), the search performed is case independent i.e.
ORDERID="ABCD" is same as ORDERID="abcd".
If you want to force ORDERID to be case sensitive (Same goes for SERVICE="ORDERS" as well if you want upper case), you would need to add it as a where condition after first pipe i.e.
index=<myindex> sourcetype="mysource" | where (SERVICE="ORDERS" AND ORDERID="upper($OrderID$)" ) | stats count
PS: For better search performance search filters should be applied before first pipe and not through where condition.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks. i was not sure the search will be case insensitive. i figured that out and it is working now
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like @someson2 said, the base search is case-insensitive by default. However, it looks like you are using the wrong token.
The input field you pasted uses the token name "OrderNumber" and not "OrderID" (see token="OrderNumber"). If that is the case, your search should be the following:
index=<myindex> sourcetype="mysource" (SERVICE="ORDERS" AND ORDERID=*$OrderNumber$* ) | stats count
Just a caveat, base searches use implied AND logic, so you could get rid of the parenthesis too.
index=<myindex> sourcetype="mysource" SERVICE="ORDERS" ORDERID=*$OrderNumber$* | stats count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What version of Splunk you're in?
Also, you're using the OrderID token in based search where case-insensitive match is done, so do you really need to change the case? It should be working fine anyways.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
