This simple query function may be used to change the text given, by way of a field from an event or otherwise, to all lower-case letters. This is based on the presumed language, but you can set the language and locale if needed.

asstringoptional[a]_lower The name of the output field.
field[b]stringrequired  The name of the input field with the value to convert to lower-case.
localestringoptional[a]system locale Locale to use, as ISO-639 language and an optional ISO-3166 country (e.g., en or en_US).
typestringoptional[a]  The name of the locale to use as ISO 639 language and an ISO 3166 country. When not specified, uses the system locale.

[a] Optional parameters use their default value unless explicitly set

[b] The argument name field can be omitted.

Omitted Argument Names

The argument name for field can be omitted; the following forms of this function are equivalent:




These examples show basic structure only; full examples are provided below.

In addition to providing the field of events to change to all lower-case letters, as well as optionally assigning a name to the resulting field, you can specify the country and language so that conversion is done correctly and without odd characters.

For the value of type, you can specify just the language, or you can refine that choice by including the country. For instance, you might specify en for English. You could be more specific by entering en_UK for U.K. English or en_US for U.S. English. Choosing the right language is perhaps most important when data includes text in other languages like Russian with Cyrillic letters.

lower() Examples

As a simple example, suppose you have two fields that you want to concatenate together, but want to set one's results to all lower-case letters and the other to all upper-case letters. You might do that using the concat() function, along with the lower() and upper() query functions, like so:

lower(#severity, as=severity)
| upper(#category, as=category)
| concat([severity, category], as=test)
| top(test)

In this query, the as parameter were used for the lower() and for the upper() query functions to label their results. Those field names are then used with the concat() function into a test field. That wasn't necessary, though: they could have be referenced by the default names, _lower and _upper. However, the specific labeling is particularly useful when you have more than one field that use the same query function. Then, the top 10 values are displayed for the field test.


Notice the value of #severity is in lower-case letters, and the value of #category is in upper-case.