I have a form, which has a text field for users to enter the orderid. users can enter in lower case or upper case. The OrderID is stored in upper case in splunk.
so I want to change the input text field to upper case and perform the search.
Below is my search query
index=<myindex> sourcetype="mysource" (SERVICE="ORDERS" AND ORDERID=*$OrderID$* )| stats count
Below is the dashboard text field
<input type="text" token="OrderNumber" searchWhenChanged="true">
<label>Check Status of an Order or EXTID</label>
</input>
i tried changing the query to
index=<myindex> sourcetype="mysource" (SERVICE="ORDERS" AND ORDERID=*upper($OrderID$)* )| stats count
but that didnt work.
Any help is appreciated. Thanks in Advance
When you add ORDERID filter in main search (i.e. first pipe with index=), the search performed is case independent i.e.
ORDERID="ABCD" is same as ORDERID="abcd".
If you want to force ORDERID to be case sensitive (Same goes for SERVICE="ORDERS" as well if you want upper case), you would need to add it as a where condition after first pipe i.e.
index=<myindex> sourcetype="mysource" | where (SERVICE="ORDERS" AND ORDERID="upper($OrderID$)" ) | stats count
PS: For better search performance search filters should be applied before first pipe and not through where condition.
When you add ORDERID filter in main search (i.e. first pipe with index=), the search performed is case independent i.e.
ORDERID="ABCD" is same as ORDERID="abcd".
If you want to force ORDERID to be case sensitive (Same goes for SERVICE="ORDERS" as well if you want upper case), you would need to add it as a where condition after first pipe i.e.
index=<myindex> sourcetype="mysource" | where (SERVICE="ORDERS" AND ORDERID="upper($OrderID$)" ) | stats count
PS: For better search performance search filters should be applied before first pipe and not through where condition.
thanks. i was not sure the search will be case insensitive. i figured that out and it is working now
Like @someson2 said, the base search is case-insensitive by default. However, it looks like you are using the wrong token.
The input field you pasted uses the token name "OrderNumber" and not "OrderID" (see token="OrderNumber"
). If that is the case, your search should be the following:
index=<myindex> sourcetype="mysource" (SERVICE="ORDERS" AND ORDERID=*$OrderNumber$* ) | stats count
Just a caveat, base searches use implied AND logic, so you could get rid of the parenthesis too.
index=<myindex> sourcetype="mysource" SERVICE="ORDERS" ORDERID=*$OrderNumber$* | stats count
What version of Splunk you're in?
Also, you're using the OrderID token in based search where case-insensitive match is done, so do you really need to change the case? It should be working fine anyways.