Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Partial String Conversion to lower case

HenryFitzerald
New Member
‎11-05-2018 06:58 AM

Hi,

Could anyone assist, thanks.

I have two tokens values that vary depending on chosen drop down box but are all in uppercase “CAA" and "GMM".

Example
$enter_feature_tok$ =CAA
$service_family_tok$=GMM

But, I need to use these queries as part of a string for a look up query variables but need to convert to lowercase as "gmm" and "caa".
Text in query is => "lookup tp_gmm_cca_digital_map". You see gmm and cca as part of the string.

I wanted to substitute the token values as lower case using => lower($enter_feature_tok$) to give "gmm" and same for CAA by saying lower($enter_feature_tok$ ) to give "caa"so I can append to string as =>tp_lower($service_family_tok$)_lower($enter_feature_tok$)_telnet_map would become => tp_gmm_cca_telnet_map

The constants in string are "tp_" and "_telnet_map"

But, it did not work and also tried [lookup eval tp_gmm_cca_digital_map =lower(tp_$service_family$_$enter_feature_tok$_digital_map) ]
if anyone could please assist or suggest, thanks.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎11-06-2018 05:54 AM

@HenryFitzerald,

As discussed on https://answers.splunk.com/answers/696582/can-you-help-me-with-my-query-involving-two-static.html#an... , below should work for you

 <form>
   <label>Dropdown Example</label>
   <fieldset submitButton="false">
     <input type="dropdown" token="service_family_tok">
       <label>First Drop Down</label>
       <choice value="GMM">GMM</choice>
       <choice value="EDH">EDH</choice>
       <choice value="PWS">PWS</choice>
       <default>GMM</default>
       <initialValue>GMM</initialValue>
       <change>
         <condition value="EDH">
           <set token="feature_values">STMTS-COUNT,MANAGACCT,INBOX,STMTS,ACCTS2,ACCTS</set>
           <unset token="form.enter_feature_tok"></unset>
         </condition>
         <condition value="GMM">
           <set token="feature_values">CCA,RESAVER</set>
           <unset token="form.enter_feature_tok"></unset>
         </condition>
         <condition value="HWBT">
           <set token="feature_values">PLA</set>
           <unset token="form.enter_feature_tok"></unset>
         </condition>
         <condition value="PWS">
           <set token="feature_values">TP</set>
           <unset token="form.enter_feature_tok"></unset>
         </condition>
       </change>
     </input>
     <input type="dropdown" token="enter_feature_tok">
       <label>Second Dropdown</label>
       <fieldForLabel>feature</fieldForLabel>
       <fieldForValue>feature</fieldForValue>
       <search>
         <query>|makeresults|eval feature="$feature_values$"|makemv feature delim=","|mvexpand feature</query>
         <earliest>-1s@s</earliest>
         <latest>now</latest>
       </search>
       <change>
         <eval token="l_service_family_tok">lower($service_family_tok$)</eval>
         <eval token="l_enter_feature_tok">lower($value$)</eval>
       </change>
     </input>
   </fieldset>
   <row depends="$enter_feature_tok$">
     <panel>
       <title>This html part is just to print the tokens and can be removed</title>
       <html>
        <h2> Here is an example of LOOKUP filename for $service_family_tok$ AND $enter_feature_tok$ </h2>
        <h1> "your base search here" | lookup tp_$l_service_family_tok$_$l_enter_feature_tok$_digital_map "your lookup terms"   </h1>
      </html>
     </panel>
   </row>
 </form>
Happy Splunking!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎11-06-2018 05:54 AM

@HenryFitzerald,

As discussed on https://answers.splunk.com/answers/696582/can-you-help-me-with-my-query-involving-two-static.html#an... , below should work for you

 <form>
   <label>Dropdown Example</label>
   <fieldset submitButton="false">
     <input type="dropdown" token="service_family_tok">
       <label>First Drop Down</label>
       <choice value="GMM">GMM</choice>
       <choice value="EDH">EDH</choice>
       <choice value="PWS">PWS</choice>
       <default>GMM</default>
       <initialValue>GMM</initialValue>
       <change>
         <condition value="EDH">
           <set token="feature_values">STMTS-COUNT,MANAGACCT,INBOX,STMTS,ACCTS2,ACCTS</set>
           <unset token="form.enter_feature_tok"></unset>
         </condition>
         <condition value="GMM">
           <set token="feature_values">CCA,RESAVER</set>
           <unset token="form.enter_feature_tok"></unset>
         </condition>
         <condition value="HWBT">
           <set token="feature_values">PLA</set>
           <unset token="form.enter_feature_tok"></unset>
         </condition>
         <condition value="PWS">
           <set token="feature_values">TP</set>
           <unset token="form.enter_feature_tok"></unset>
         </condition>
       </change>
     </input>
     <input type="dropdown" token="enter_feature_tok">
       <label>Second Dropdown</label>
       <fieldForLabel>feature</fieldForLabel>
       <fieldForValue>feature</fieldForValue>
       <search>
         <query>|makeresults|eval feature="$feature_values$"|makemv feature delim=","|mvexpand feature</query>
         <earliest>-1s@s</earliest>
         <latest>now</latest>
       </search>
       <change>
         <eval token="l_service_family_tok">lower($service_family_tok$)</eval>
         <eval token="l_enter_feature_tok">lower($value$)</eval>
       </change>
     </input>
   </fieldset>
   <row depends="$enter_feature_tok$">
     <panel>
       <title>This html part is just to print the tokens and can be removed</title>
       <html>
        <h2> Here is an example of LOOKUP filename for $service_family_tok$ AND $enter_feature_tok$ </h2>
        <h1> "your base search here" | lookup tp_$l_service_family_tok$_$l_enter_feature_tok$_digital_map "your lookup terms"   </h1>
      </html>
     </panel>
   </row>
 </form>
Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

HenryFitzerald
New Member
‎11-06-2018 09:41 PM

Excellent ,Thanks Renjith,

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-05-2018 10:26 AM

@HenryFitzerald

Can you please share your sample dashboard XML? So we can assist on that directly.

0 Karma
Reply
Solved! Jump to solution

HenryFitzerald
New Member
‎11-05-2018 12:06 PM

Hi Kamlesh, thanks for the reply the query looks as =>

index="main" source=technical_lm | lookup tp_gmm_cca_digital_map tp_wildcard | tp_feature =CAA | timechart count by client_id

I can say in query "tp_feature"=$enter_feature_tok$ but "tp_gmm_cca_digital_map" is where I want to use GMM and CAA in lower case [lookup eval tp_gmm_cca_digital_map in query as=> lower(tp_$service_family$_$enter_feature_tok$_digital_map) ]

Code is as below please let me know if you have any questions its really only about the string => tp_gmm_cca_digital_map and how to replace gmm and cca with append values of two tokens GMM & CCA in lower case to use in query.

Dropdown Example

 <input type="dropdown" token="service_family_tok">
   <label>First Drop Down</label>
   <choice value="GMM">GMM</choice>
   <choice value="HWBT">HWBT</choice>
   <choice value="EDH">EDH</choice>
   <choice value="PWS">PWS</choice>
   <default>GMM</default>
   <initialValue>GMM</initialValue>
   <change>
     <condition value="EDH">
       <set token="feature_values">STMTS-COUNT,MANAGACCT,INBOX,STMTS,ACCTS2,ACCTS</set>
       <unset token="form.enter_feature_tok"></unset>
     </condition>
     <condition value="GMM">
       <set token="feature_values">CCA,RESAVER</set>
       <unset token="form.enter_feature_tok"></unset>          
     </condition>
     <condition value="HWBT">
       <set token="feature_values">PLA</set>
       <unset token="form.enter_feature_tok"></unset>          
     </condition>
     <condition value="PWS">
       <set token="feature_values">TP</set>
       <unset token="form.enter_feature_tok"></unset>          
     </condition>
   </change>
 </input>
 <input type="dropdown" token="enter_feature_tok">
   <label>Second Dropdown</label>
   <fieldForLabel>feature</fieldForLabel>
   <fieldForValue>feature</fieldForValue>
   <search>
     <query>|makeresults|eval feature="$feature_values$"|makemv feature delim=","|mvexpand feature</query>
     <earliest>-1s@s</earliest>
     <latest>now</latest>
   </search>
 </input>


 <panel>
   <html>
   <h3>Service Family Token : $service_family_tok$ , Feature Token : $enter_feature_tok$</h3>
 </html>
 </panel>

index="main" source=technical_lm | lookup lookup tp_gmm_cca_digital_map tp_wildcard | tp_feature =CAA | timechart count by client_id

0 Karma
Reply
Solved! Jump to solution

HenryFitzerald
New Member
‎11-05-2018 12:23 PM

I think I made it conplicated its as two variables with values "CAA" and "GMM" (uppercase) as below $enter_feature_tok$ =CAA $service_family_tok$=GMM I also have a variable tp_gmm_cca_digital_map I have been attempting to convert $enter_feature_tok$ & $service_family_tok$ to (lowercase) as $enter_feature_tok$ =caa $service_family_tok$=gmm

So I can substitute as [tp_lower($service_family_tok$)lower($enter_feature_tok$)_telnet_map ] But does not work I tried => eval tp_gmm_cca_digital_map= lower(tp$service_family$_$enter_feature_tok$_digital_map) in Splunk but did not work.Thanks

0 Karma
Reply
Solved! Jump to solution

HenryFitzerald
New Member
‎11-05-2018 10:12 PM

It actually looks like
this XX_gmm_caa_XXXXXXXX "XXXX" values are fixed text I just replaced the XXXs
with tp and telenet & digital_map
and actual query looks like => lookup XX_gmm_caa_XXXXXXXX.
The gmm_caa are service_family and tokens in lowercase

The only issue is how to append gmm_caa which is $service_family_tok$=GMM
and $enter_feature_tok=CAA as but in lower case.

There are others queries but in different dashboards
lookup XX_gmm_accts_XXXXXXXX
lookup XX_gmm_regsaver_XXXXXXXX
lookup XX_edh_stmts_XXXXXXXX.

These other queries in "seperate splunk panels" but now there’s two drop down boxes
in only one Splunk dashboard & I can capture when the user chooses the service_family
and feature values in uppercase in tokens $service_family_tok$ and $enter_feature_tok$
and use this in one generic query in one dashboard.

Attempting to use the values stored in the two tokens to create a generic query
=> lookup XX_$service_family_tok$_$enter_feature_tok$_XXXXXX
but the token are in uppercase and I am unsure
how to append this using lower case (lower)
Query => lookup XX_lower($service_family_tok$)_lower($enter_feature_tok$)_XXXXXX
I have tried a few things like lower & “eval” without success.Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...