Splunk Search

How to exclusively search for lower-case characters

david1395
New Member

My query is for searching users...i.e david OR tom OR cindy...

The results are:

David
david
Tom
tom
Cindy
cindy

What do I have to change in my search to get just the small names...because the others are wrong usernames,

0 Karma

to4kawa
Ultra Champion
index=your_index  your_field IN (CASE("david"), CASE("tom"), CASE("cindy"))

There are many.

0 Karma

koshyk
Super Champion

using CASE() is the most efficient way as it filters at _raw event itself

woodcock
Esteemed Legend

Definitely.

0 Karma

DavidHourani
Super Champion

Totally.

But if he has a million users then he's not going to CASE CASE CASE, he's better off just extracting the lowercase stuff in a field and using that or using a regex as a filter

woodcock
Esteemed Legend

It might be in a lookup and then he can use a subsearch with format to insert CASE( and ).

DavidHourani
Super Champion

True true.

woodcock
Esteemed Legend

Like this:

index="YouShouldALwaysSpecifyAnIndexEvenIfJust*" AND sourcetype="AndSourcetypeToo" AND (CASE(david) OR CASE(tom) OR CASE(cindy)) ...
0 Karma

DavidHourani
Super Champion

Hi @david1395,

You should change the way that field is extracted to avoid having to filter out to names in capital.

Look at the extraction of the field and instead of match any character in the name use something like ([a-z])+ to match lowercase letter only. After that your field will only contain all the valid lowercase letters.

Let me know how that works out for you.

Cheers,
another David

0 Karma

vnravikumar
Champion

Hi

Check this

| makeresults 
| eval name="David,david,Tom,tom,Cindy,cindy" 
| makemv delim="," name 
| mvexpand name 
| regex name="^[a-z]+$"
0 Karma

aberkow
Builder
| makeresults count=2
| streamstats count
| eval names=case(count=1, "David", count=2, "david")
| where like(names,"%david%")

Using the where command with a regex match is one option, alternatively you can just lower all the names previously in your search:

| makeresults count=2
| streamstats count
| eval names=case(count=1, "David", count=2, "david")
| eval names=lower(names) 

Hope this helps!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...