- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to exclusively search for lower-case chara...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to exclusively search for lower-case characters
My query is for searching users...i.e david OR tom OR cindy...
The results are:
David
david
Tom
tom
Cindy
cindy
What do I have to change in my search to get just the small names...because the others are wrong usernames,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=your_index your_field IN (CASE("david"), CASE("tom"), CASE("cindy"))
There are many.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
using CASE() is the most efficient way as it filters at _raw event itself
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Definitely.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Totally.
But if he has a million users then he's not going to CASE CASE CASE, he's better off just extracting the lowercase stuff in a field and using that or using a regex as a filter
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It might be in a lookup and then he can use a subsearch with format to insert CASE( and ).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
True true.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
index="YouShouldALwaysSpecifyAnIndexEvenIfJust*" AND sourcetype="AndSourcetypeToo" AND (CASE(david) OR CASE(tom) OR CASE(cindy)) ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @david1395,
You should change the way that field is extracted to avoid having to filter out to names in capital.
Look at the extraction of the field and instead of match any character in the name use something like ([a-z])+ to match lowercase letter only. After that your field will only contain all the valid lowercase letters.
Let me know how that works out for you.
Cheers,
another David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Check this
| makeresults
| eval name="David,david,Tom,tom,Cindy,cindy"
| makemv delim="," name
| mvexpand name
| regex name="^[a-z]+$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults count=2
| streamstats count
| eval names=case(count=1, "David", count=2, "david")
| where like(names,"%david%")
Using the where command with a regex match is one option, alternatively you can just lower all the names previously in your search:
| makeresults count=2
| streamstats count
| eval names=case(count=1, "David", count=2, "david")
| eval names=lower(names)
Hope this helps!
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
