The lower() function converts text to lower case letters. It can process text from event fields or other sources. By default, it uses the system locale, but it is possible to specify a different language and locale if needed.
Hide omitted argument names for this functionShow omitted argument names for this function
Omitted Argument Names
The argument name for field can be omitted; the following forms of this function are equivalent:
logscale Syntax
lower("value")
and:
logscale Syntax
lower(field="value")
These examples show basic structure only.
In addition to providing the field of events to change to all
lower-case letters, as well as optionally assigning a name to
the resulting field, you can specify the country and language so
that conversion is done correctly and without odd characters.
For the value of type, you can specify just the language, or you
can refine that choice by including the country. For instance,
you might specify:
en for
English.
en_UK for UK English.
en_US for US English.
Specifying the correct locale is particularly important for languages with non-Latin alphabets, such as Russian with Cyrillic letters.
In this example, the array:append() function is
used to create a new array
related.user[] containing
information about all user names seen on the event.
Creates a new array
related.user[] containing
information about all user names seen on the event. Notice that the
lower() function formats the results into lower
case before appending them to the array.
Event Result set.
Summary and Results
This query is used to create a new flat array based on values from an
array of expressions.
Sample output from the incoming example data:
source.user.name
destination.user.name
related.user[0]
related.user[1]
user_1
USER_2
user_1
user_2
Format a String to Upper Case and Lower Case
Format a string to upper case and lower case using the upper() and lower() functions with concat()
In this example, upper() and
lower() functions are used with
concat() to concatenate two fields containing error
messages, where one field's result is all lower case letters and the
other field's results are all upper case letters.
If no as parameter is set, the fields outputted
to is by default named _upper
and _lower, respectively.
In this query, the as parameter is used for the
lower() and upper() functions
to label their results. These fields
(msg1 and
msg2) are then used with the
concat() function, returning the concatenated
string into a field named test.
Step-by-Step
Starting with the source repository events.
logscale
lower(@error_msg[0],as=msg1)
Formats the first element (index 0) of the
@error_msg array to lower case and returns the
results in a field named msg1.
logscale
|upper(@error_msg[1],as=msg2)
Formats the second element (index 1) of the
@error_msg array to upper case and returns the results in a
field named msg2.
logscale
|concat([msg1,msg2],as=test)
Concatenates (combines) the values in field
msg1 and field
msg2, and returns the
concatenated string in a new field named
test.
If using the top() function on the
test field, like this:
| top(test)
then the top 10 values for the field
test is displayed with a count
of their occurrences in a field named
_count.
Event Result set.
Summary and Results
The query is used to either convert strings to lower case or upper case
and return the new concatenated strings/results in a new field. In this
example, concatenating error messages.
The specific labeling of msg1
and msg2 is particularly useful
when you have more than one field that use the same query function.
By converting fields to consistent cases, it helps standardize data for
easier analysis and comparison. The concatenation allows you to combine
multiple fields into a single field, which can be useful for creating
unique identifiers or grouping related information.
Standardize Values And Combine Into Single Field
Standardize values using the upper() and lower() functions and combine into single field with concat()
Standardizing the format of fields is useful for consistent analysis. In
this example, upper() and
lower() functions are used with
concat() to concatenate the fields
#category and
severity, where one field's
result is all lower case letters and the other field's results are all
upper case letters.
If no as parameter is set, the fields outputted
to is by default named _upper
and _lower, respectively.
In this query, the as parameter is used for the
lower() and upper() functions
to label their results. These output fields
(category and
severity) are then used with the
concat() function, returning the concatenated
string into a field named test.
Finally, it uses the top() function, to show which
combinations of severity and
category are most common in the data.
Step-by-Step
Starting with the source repository events.
logscale
lower(#severity,as=severity)
Converts the values in the #severity field to lower
case and returns the results in a field named
severity.
logscale
|upper(#category,as=category)
Converts the values in the #category field to upper
case and returns the results in a field named
category.
logscale
|concat([severity,category],as=test)
Concatenates (combines) the values in field
category and field
severity, and returns the
concatenated string in a new field named
test.
logscale
|top(test)
Finds the most common values of the field
test — the top of an
ordered list of results - along with their count. The result of the
count of their occurrences is displayed in a field named
_count.
Event Result set.
Summary and Results
The query is used to standardize the format of the values in the fields
#category and
severity and concatenate the
values into a single field, showing which combinations of
severity and category are most
common in the data.
The specific labeling of
category and
severity is particularly useful
when you have more than one field that use the same query function.
By converting fields to consistent cases, it helps standardize data for
easier analysis and comparison. The concatenation allows you to combine
multiple fields into a single field, which can be useful for creating
unique identifiers or grouping related information. It provides a quick
overview of the distribution of events across different
severity-category combinations.
Sample output from the incoming example data (showing the first 10 rows
only):
test
_count
infoALERT
90005
infoFILTERALERT
36640
errorALERT
17256
warningGRAPHQL
14240
warningALERT
13617
warningSCHEDULEDSEARCH
11483
infoSCHEDULEDSEARCH
5917
warningFILTERALERT
1646
errorFILTERALERT
1487
infoACTION
3
Notice how the value of #severity is in lower case
letters, and the value of #category is in upper
case letters.
