This simple query function may be used to change the text given, by way of a field from an event or otherwise, to all lower-case letters. This is based on the presumed language, but you can set the language and locale if needed.

ParameterTypeRequiredDefaultDescription
asstringoptional[a]_lower The name of the output field.
field[b]stringrequired  The name of the input field with the value to convert to lower-case.
localestringoptional[a]system locale Locale to use, as ISO-639 language and an optional ISO-3166 country (e.g., en or en_US).
typestringoptional[a]  The name of the locale to use as ISO 639 language and an ISO 3166 country. When not specified, uses the system locale.

[a] Optional parameters use their default value unless explicitly set

[b] The argument name field can be omitted.

Omitted Argument Names

The argument name for field can be omitted; the following forms of this function are equivalent:

logscale
lower("value")

and:

logscale
lower(field="value")

These examples show basic structure only; full examples are provided below.

In addition to providing the field of events to change to all lower-case letters, as well as optionally assigning a name to the resulting field, you can specify the country and language so that conversion is done correctly and without odd characters.

For the value of type, you can specify just the language, or you can refine that choice by including the country. For instance, you might specify en for English. You could be more specific by entering en_UK for U.K. English or en_US for U.S. English. Choosing the right language is perhaps most important when data includes text in other languages like Russian with Cyrillic letters.

lower() Examples

As a simple example, suppose you have two fields that you want to concatenate together, but want to set one's results to all lower-case letters and the other to all upper-case letters. You might do that using the concat() function, along with the lower() and upper() query functions, like so:

logscale
lower(#severity, as=severity)
| upper(#category, as=category)
| concat([severity, category], as=test)
| top(test)

In this query, the as parameter were used for the lower() and for the upper() query functions to label their results. Those field names are then used with the concat() function into a test field. That wasn't necessary, though: they could have be referenced by the default names, _lower and _upper. However, the specific labeling is particularly useful when you have more than one field that use the same query function. Then, the top 10 values are displayed for the field test.

test_count
infoALERT90005
infoFILTERALERT36640
errorALERT17256
warningGRAPHQL14240
warningALERT13617
warningSCHEDULEDSEARCH11483
infoSCHEDULEDSEARCH5917
warningFILTERALERT1646
errorFILTERALERT1487
infoACTION3

Notice the value of #severity is in lower-case letters, and the value of #category is in upper-case.