My query is for searching users...i.e david OR tom OR cindy...
The results are:
David
david
Tom
tom
Cindy
cindy
What do I have to change in my search to get just the small names...because the others are wrong usernames,
index=your_index your_field IN (CASE("david"), CASE("tom"), CASE("cindy"))
There are many.
using CASE() is the most efficient way as it filters at _raw event itself
Definitely.
Totally.
But if he has a million users then he's not going to CASE CASE CASE, he's better off just extracting the lowercase stuff in a field and using that or using a regex as a filter
It might be in a lookup and then he can use a subsearch with format
to insert CASE(
and )
.
True true.
Like this:
index="YouShouldALwaysSpecifyAnIndexEvenIfJust*" AND sourcetype="AndSourcetypeToo" AND (CASE(david) OR CASE(tom) OR CASE(cindy)) ...
Hi @david1395,
You should change the way that field is extracted to avoid having to filter out to names in capital.
Look at the extraction of the field and instead of match any character in the name use something like ([a-z])+
to match lowercase letter only. After that your field will only contain all the valid lowercase letters.
Let me know how that works out for you.
Cheers,
another David
Hi
Check this
| makeresults
| eval name="David,david,Tom,tom,Cindy,cindy"
| makemv delim="," name
| mvexpand name
| regex name="^[a-z]+$"
| makeresults count=2
| streamstats count
| eval names=case(count=1, "David", count=2, "david")
| where like(names,"%david%")
Using the where command with a regex match is one option, alternatively you can just lower all the names previously in your search:
| makeresults count=2
| streamstats count
| eval names=case(count=1, "David", count=2, "david")
| eval names=lower(names)
Hope this helps!