Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Partial String Conversion to lower case

HenryFitzerald
New Member
‎11-05-2018 06:58 AM

Hi,

Could anyone assist, thanks.

I have two tokens values that vary depending on chosen drop down box but are all in uppercase “CAA" and "GMM".

Example
$enter_feature_tok$ =CAA
$service_family_tok$=GMM

But, I need to use these queries as part of a string for a look up query variables but need to convert to lowercase as "gmm" and "caa".
Text in query is => "lookup tp_gmm_cca_digital_map". You see gmm and cca as part of the string.

I wanted to substitute the token values as lower case using => lower($enter_feature_tok$) to give "gmm" and same for CAA by saying lower($enter_feature_tok$ ) to give "caa"so I can append to string as =>tp_lower($service_family_tok$)_lower($enter_feature_tok$)_telnet_map would become => tp_gmm_cca_telnet_map

The constants in string are "tp_" and "_telnet_map"

But, it did not work and also tried [lookup eval tp_gmm_cca_digital_map =lower(tp_$service_family$_$enter_feature_tok$_digital_map) ]
if anyone could please assist or suggest, thanks.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎11-06-2018 05:54 AM

@HenryFitzerald,

As discussed on https://answers.splunk.com/answers/696582/can-you-help-me-with-my-query-involving-two-static.html#an... , below should work for you

 <form>
   <label>Dropdown Example</label>
   <fieldset submitButton="false">
     <input type="dropdown" token="service_family_tok">
       <label>First Drop Down</label>
       <choice value="GMM">GMM</choice>
       <choice value="EDH">EDH</choice>
       <choice value="PWS">PWS</choice>
       <default>GMM</default>
       <initialValue>GMM</initialValue>
       <change>
         <condition value="EDH">
           <set token="feature_values">STMTS-COUNT,MANAGACCT,INBOX,STMTS,ACCTS2,ACCTS</set>
           <unset token="form.enter_feature_tok"></unset>
         </condition>
         <condition value="GMM">
           <set token="feature_values">CCA,RESAVER</set>
           <unset token="form.enter_feature_tok"></unset>
         </condition>
         <condition value="HWBT">
           <set token="feature_values">PLA</set>
           <unset token="form.enter_feature_tok"></unset>
         </condition>
         <condition value="PWS">
           <set token="feature_values">TP</set>
           <unset token="form.enter_feature_tok"></unset>
         </condition>
       </change>
     </input>
     <input type="dropdown" token="enter_feature_tok">
       <label>Second Dropdown</label>
       <fieldForLabel>feature</fieldForLabel>
       <fieldForValue>feature</fieldForValue>
       <search>
         <query>|makeresults|eval feature="$feature_values$"|makemv feature delim=","|mvexpand feature</query>
         <earliest>-1s@s</earliest>
         <latest>now</latest>
       </search>
       <change>
         <eval token="l_service_family_tok">lower($service_family_tok$)</eval>
         <eval token="l_enter_feature_tok">lower($value$)</eval>
       </change>
     </input>
   </fieldset>
   <row depends="$enter_feature_tok$">
     <panel>
       <title>This html part is just to print the tokens and can be removed</title>
       <html>
        <h2> Here is an example of LOOKUP filename for $service_family_tok$ AND $enter_feature_tok$ </h2>
        <h1> "your base search here" | lookup tp_$l_service_family_tok$_$l_enter_feature_tok$_digital_map "your lookup terms"   </h1>
      </html>
     </panel>
   </row>
 </form>
Happy Splunking!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎11-06-2018 05:54 AM

@HenryFitzerald,

As discussed on https://answers.splunk.com/answers/696582/can-you-help-me-with-my-query-involving-two-static.html#an... , below should work for you

 <form>
   <label>Dropdown Example</label>
   <fieldset submitButton="false">
     <input type="dropdown" token="service_family_tok">
       <label>First Drop Down</label>
       <choice value="GMM">GMM</choice>
       <choice value="EDH">EDH</choice>
       <choice value="PWS">PWS</choice>
       <default>GMM</default>
       <initialValue>GMM</initialValue>
       <change>
         <condition value="EDH">
           <set token="feature_values">STMTS-COUNT,MANAGACCT,INBOX,STMTS,ACCTS2,ACCTS</set>
           <unset token="form.enter_feature_tok"></unset>
         </condition>
         <condition value="GMM">
           <set token="feature_values">CCA,RESAVER</set>
           <unset token="form.enter_feature_tok"></unset>
         </condition>
         <condition value="HWBT">
           <set token="feature_values">PLA</set>
           <unset token="form.enter_feature_tok"></unset>
         </condition>
         <condition value="PWS">
           <set token="feature_values">TP</set>
           <unset token="form.enter_feature_tok"></unset>
         </condition>
       </change>
     </input>
     <input type="dropdown" token="enter_feature_tok">
       <label>Second Dropdown</label>
       <fieldForLabel>feature</fieldForLabel>
       <fieldForValue>feature</fieldForValue>
       <search>
         <query>|makeresults|eval feature="$feature_values$"|makemv feature delim=","|mvexpand feature</query>
         <earliest>-1s@s</earliest>
         <latest>now</latest>
       </search>
       <change>
         <eval token="l_service_family_tok">lower($service_family_tok$)</eval>
         <eval token="l_enter_feature_tok">lower($value$)</eval>
       </change>
     </input>
   </fieldset>
   <row depends="$enter_feature_tok$">
     <panel>
       <title>This html part is just to print the tokens and can be removed</title>
       <html>
        <h2> Here is an example of LOOKUP filename for $service_family_tok$ AND $enter_feature_tok$ </h2>
        <h1> "your base search here" | lookup tp_$l_service_family_tok$_$l_enter_feature_tok$_digital_map "your lookup terms"   </h1>
      </html>
     </panel>
   </row>
 </form>
Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

HenryFitzerald
New Member
‎11-06-2018 09:41 PM

Excellent ,Thanks Renjith,

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-05-2018 10:26 AM

@HenryFitzerald

Can you please share your sample dashboard XML? So we can assist on that directly.

0 Karma
Reply
Solved! Jump to solution

HenryFitzerald
New Member
‎11-05-2018 12:06 PM

Hi Kamlesh, thanks for the reply the query looks as =>

index="main" source=technical_lm | lookup tp_gmm_cca_digital_map tp_wildcard | tp_feature =CAA | timechart count by client_id

I can say in query "tp_feature"=$enter_feature_tok$ but "tp_gmm_cca_digital_map" is where I want to use GMM and CAA in lower case [lookup eval tp_gmm_cca_digital_map in query as=> lower(tp_$service_family$_$enter_feature_tok$_digital_map) ]

Code is as below please let me know if you have any questions its really only about the string => tp_gmm_cca_digital_map and how to replace gmm and cca with append values of two tokens GMM & CCA in lower case to use in query.

Dropdown Example

 <input type="dropdown" token="service_family_tok">
   <label>First Drop Down</label>
   <choice value="GMM">GMM</choice>
   <choice value="HWBT">HWBT</choice>
   <choice value="EDH">EDH</choice>
   <choice value="PWS">PWS</choice>
   <default>GMM</default>
   <initialValue>GMM</initialValue>
   <change>
     <condition value="EDH">
       <set token="feature_values">STMTS-COUNT,MANAGACCT,INBOX,STMTS,ACCTS2,ACCTS</set>
       <unset token="form.enter_feature_tok"></unset>
     </condition>
     <condition value="GMM">
       <set token="feature_values">CCA,RESAVER</set>
       <unset token="form.enter_feature_tok"></unset>          
     </condition>
     <condition value="HWBT">
       <set token="feature_values">PLA</set>
       <unset token="form.enter_feature_tok"></unset>          
     </condition>
     <condition value="PWS">
       <set token="feature_values">TP</set>
       <unset token="form.enter_feature_tok"></unset>          
     </condition>
   </change>
 </input>
 <input type="dropdown" token="enter_feature_tok">
   <label>Second Dropdown</label>
   <fieldForLabel>feature</fieldForLabel>
   <fieldForValue>feature</fieldForValue>
   <search>
     <query>|makeresults|eval feature="$feature_values$"|makemv feature delim=","|mvexpand feature</query>
     <earliest>-1s@s</earliest>
     <latest>now</latest>
   </search>
 </input>


 <panel>
   <html>
   <h3>Service Family Token : $service_family_tok$ , Feature Token : $enter_feature_tok$</h3>
 </html>
 </panel>

index="main" source=technical_lm | lookup lookup tp_gmm_cca_digital_map tp_wildcard | tp_feature =CAA | timechart count by client_id

0 Karma
Reply
Solved! Jump to solution

HenryFitzerald
New Member
‎11-05-2018 12:23 PM

I think I made it conplicated its as two variables with values "CAA" and "GMM" (uppercase) as below $enter_feature_tok$ =CAA $service_family_tok$=GMM I also have a variable tp_gmm_cca_digital_map I have been attempting to convert $enter_feature_tok$ & $service_family_tok$ to (lowercase) as $enter_feature_tok$ =caa $service_family_tok$=gmm

So I can substitute as [tp_lower($service_family_tok$)lower($enter_feature_tok$)_telnet_map ] But does not work I tried => eval tp_gmm_cca_digital_map= lower(tp$service_family$_$enter_feature_tok$_digital_map) in Splunk but did not work.Thanks

0 Karma
Reply
Solved! Jump to solution

HenryFitzerald
New Member
‎11-05-2018 10:12 PM

It actually looks like
this XX_gmm_caa_XXXXXXXX "XXXX" values are fixed text I just replaced the XXXs
with tp and telenet & digital_map
and actual query looks like => lookup XX_gmm_caa_XXXXXXXX.
The gmm_caa are service_family and tokens in lowercase

The only issue is how to append gmm_caa which is $service_family_tok$=GMM
and $enter_feature_tok=CAA as but in lower case.

There are others queries but in different dashboards
lookup XX_gmm_accts_XXXXXXXX
lookup XX_gmm_regsaver_XXXXXXXX
lookup XX_edh_stmts_XXXXXXXX.

These other queries in "seperate splunk panels" but now there’s two drop down boxes
in only one Splunk dashboard & I can capture when the user chooses the service_family
and feature values in uppercase in tokens $service_family_tok$ and $enter_feature_tok$
and use this in one generic query in one dashboard.

Attempting to use the values stored in the two tokens to create a generic query
=> lookup XX_$service_family_tok$_$enter_feature_tok$_XXXXXX
but the token are in uppercase and I am unsure
how to append this using lower case (lower)
Query => lookup XX_lower($service_family_tok$)_lower($enter_feature_tok$)_XXXXXX
I have tried a few things like lower & “eval” without success.Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...