The upper() function converts text to upper case letters. It can process text from event fields or other sources. By default, it uses the system locale, but it is possible to specify a different language and locale if needed.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
as | string | optional[a] | _upper | The name of the output field. |
field[b] | string | required | The name of the input field with the value to convert to upper case. | |
locale | string | optional[a] | system locale | The name of the locale to use as ISO 639 language and an ISO 3166 country (for example, da, or da_DK). When not specified, it uses the system locale. |
[a] Optional parameters use their default value unless explicitly set. | ||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
fieldcan be omitted; the following forms of this function are equivalent:logscale Syntaxupper("value")and:
logscale Syntaxupper(field="value")These examples show basic structure only.
For the value of type, you can specify just the language, or you can refine that choice by including the country. For instance, you might specify:
enfor English.en_UKfor UK English.en_USfor US English.
Specifying the correct locale is particularly important for languages with non-Latin alphabets, such as Russian with Cyrillic letters.
upper() Examples
Click next to an example below to get the full details.
Format a String to Upper Case and Lower Case
Format a string to upper case and lower case using the
upper() and lower()
functions with concat()
Query
lower(@error_msg[0], as=msg1)
| upper(@error_msg[1], as=msg2)
| concat([msg1, msg2], as=test)Introduction
In this example, upper() and
lower() functions are used with
concat() to concatenate two fields containing error
messages, where one field's result is all lower case letters and the
other field's results are all upper case letters.
If no as parameter is set, the fields outputted
to is by default named _upper
and _lower, respectively.
In this query, the as parameter is used for the
lower() and upper() functions
to label their results. These fields
(msg1 and
msg2) are then used with the
concat() function, returning the concatenated
string into a field named test.
Step-by-Step
Starting with the source repository events.
- logscale
lower(@error_msg[0], as=msg1)Formats the first element (index 0) of the @error_msg array to lower case and returns the results in a field named msg1.
- logscale
| upper(@error_msg[1], as=msg2)Formats the second element (index 1) of the @error_msg array to upper case and returns the results in a field named msg2.
- logscale
| concat([msg1, msg2], as=test)Concatenates (combines) the values in field msg1 and field msg2, and returns the concatenated string in a new field named test.
If using the
top()function on the test field, like this:| top(test)then the top 10 values for the field test is displayed with a count of their occurrences in a field named _count.
Event Result set.
Summary and Results
The query is used to either convert strings to lower case or upper case and return the new concatenated strings/results in a new field. In this example, concatenating error messages.
The specific labeling of msg1 and msg2 is particularly useful when you have more than one field that use the same query function.
By converting fields to consistent cases, it helps standardize data for easier analysis and comparison. The concatenation allows you to combine multiple fields into a single field, which can be useful for creating unique identifiers or grouping related information.
Perform Formatting on All Values in an Array
Perform formatting on all values in a flat array using the
array:eval() function
Query
array:eval("devices[]", asArray="upperDevices[]", var=d, function={upperDevices :=upper("d")})Introduction
In this example, the array:eval() function is used
to convert all values (for example
[Thermostat, Smart Light]) in an
array devices[] from lowercase
to uppercase and show the results in a new array.
Example incoming data might look like this:
| {\"devices\":[\"Thermostat\",\"Smart Plug\"],\"room\":\"Kitchen\"}" |
| {\"devices\":[\"Smart Light\",\"Thermostat\",\"Smart Plug\"],\"room\":\"Living Room\"}" |
| {\"devices\":[\"Smart Light\",\"Smart Plug\"],\"room\":\"Bedroom\"}" |
| {\"devices\":[\"Thermostat\",\"Smart Camera\"],\"room\":\"Hallway\"}" |
| {\"devices\":[\"Smart Light\",\"Smart Lock\"],\"room\":\"Front Door\"}" |
Step-by-Step
Starting with the source repository events.
- logscale
array:eval("devices[]", asArray="upperDevices[]", var=d, function={upperDevices :=upper("d")})Formats all values in the array devices[] to uppercase and returns the results in a new array named upperDevices[]. The values in the original array stay the same:
[Thermostat, Smart Plug, Smart Light]and the new array contains the returned results:[THERMOSTAT, SMART PLUG, SMART LIGHT] Event Result set.
Summary and Results
The query is used to turn values in an array into uppercase. The
array:eval() function can also be used for squaring
a list of numbers in an array.
Sample output from the incoming example data:
| devices[] | upperDevices[] |
|---|---|
| Thermostat | THERMOSTAT |
| Smart Plug | SMART PLUG |
| Smart Light | SMART LIGHT |
Standardize Values And Combine Into Single Field
Standardize values using the upper() and
lower() functions and combine into single
field with concat()
Query
lower(#severity, as=severity)
| upper(#category, as=category)
| concat([severity, category], as=test)
| top(test)Introduction
Standardizing the format of fields is useful for consistent analysis. In
this example, upper() and
lower() functions are used with
concat() to concatenate the fields
#category and
severity, where one field's
result is all lower case letters and the other field's results are all
upper case letters.
If no as parameter is set, the fields outputted
to is by default named _upper
and _lower, respectively.
In this query, the as parameter is used for the
lower() and upper() functions
to label their results. These output fields
(category and
severity) are then used with the
concat() function, returning the concatenated
string into a field named test.
Finally, it uses the top() function, to show which
combinations of severity and
category are most common in the data.
Step-by-Step
Starting with the source repository events.
- logscale
lower(#severity, as=severity)Converts the values in the #severity field to lower case and returns the results in a field named severity.
- logscale
| upper(#category, as=category)Converts the values in the #category field to upper case and returns the results in a field named category.
- logscale
| concat([severity, category], as=test)Concatenates (combines) the values in field category and field severity, and returns the concatenated string in a new field named test.
- logscale
| top(test)Finds the most common values of the field test — the top of an ordered list of results - along with their count. The result of the count of their occurrences is displayed in a field named _count.
Event Result set.
Summary and Results
The query is used to standardize the format of the values in the fields
#category and
severity and concatenate the
values into a single field, showing which combinations of
severity and category are most
common in the data.
The specific labeling of category and severity is particularly useful when you have more than one field that use the same query function.
By converting fields to consistent cases, it helps standardize data for
easier analysis and comparison. The concatenation allows you to combine
multiple fields into a single field, which can be useful for creating
unique identifiers or grouping related information. It provides a quick
overview of the distribution of events across different
severity-category combinations.
Sample output from the incoming example data (showing the first 10 rows only):
| test | _count |
|---|---|
| infoALERT | 90005 |
| infoFILTERALERT | 36640 |
| errorALERT | 17256 |
| warningGRAPHQL | 14240 |
| warningALERT | 13617 |
| warningSCHEDULEDSEARCH | 11483 |
| infoSCHEDULEDSEARCH | 5917 |
| warningFILTERALERT | 1646 |
| errorFILTERALERT | 1487 |
| infoACTION | 3 |
Notice how the value of #severity is in lower case letters, and the value of #category is in upper case letters.