Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to ignore case and remove characters?

rmhughes
Explorer
‎10-15-2019 12:42 PM

I occasionally use Splunk as part of my job to research issues, but am very much a novice. The query below charts the stored procedures and maps their average run times (and it works).

index=X sourcetype IN Y source IN Z
| spath "TotalDuration"              
| search "TotalDuration"="*" 
| chart avg(TotalDuration) as average over ProcName

The issue I'm running into is that the procs may be called with slight variations, such as:
sp_DoAThing
sp_doathing
[sp_doathing]

What I'd like to do is ignore case and remove brackets, so that all three of the examples above return as one proc with one average duration, instead of three. It says I don't have enough karma points to post links so I can't share the similar questions I've read through, but the answers I've seen (for ignoring case) seem as simple as,

| eval ProcName = lower(ProcName)

but I have tried that in many locations and many variations and cannot get it to work. Any help would be greatly appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2019 04:58 PM

You're on the right track with lower to normalize case. I'm interested in what you get when you try it.
Removing brackets is done with the trim function.

 index=X sourcetype IN Y source IN Z
 | spath "TotalDuration"              
 | search "TotalDuration"="*" 
 | eval ProcName=trim(lower(ProcName),"[]")
 | chart avg(TotalDuration) as average over ProcName
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2019 04:58 PM

You're on the right track with lower to normalize case. I'm interested in what you get when you try it.
Removing brackets is done with the trim function.

 index=X sourcetype IN Y source IN Z
 | spath "TotalDuration"              
 | search "TotalDuration"="*" 
 | eval ProcName=trim(lower(ProcName),"[]")
 | chart avg(TotalDuration) as average over ProcName
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

rmhughes
Explorer
‎10-22-2019 02:00 PM

Once I figured out the single quote issue above your solution worked great! Thank you!

0 Karma
Reply
Solved! Jump to solution

rmhughes
Explorer
‎10-22-2019 01:51 PM

For some reason this doesn't work for me:

| eval ProcName = lower(ProcName)

It tells me no results are found. I simplified the Proc Name field for the purposes of asking the question. The actual field name is more like:

| eval A.B.C = lower(A.B.C)

Is it possible the periods are messing with it?

0 Karma
Reply
Solved! Jump to solution

rmhughes
Explorer
‎10-22-2019 01:56 PM

Yup... that was it. I needed to put single quotes around it.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...