Skip to main content
Sumo Logic

toLowerCase and toUpperCase

As the name implies, the toLowerCase operator takes a string and converts it to all lower case letters. The toUpperCase operator takes a string and converts it to all upper case letters.

These operators can be useful for normalizing source logs with inconsistent capitalization, such as Windows Event logs, or changing file names and paths for files systems that require all lower case letters. They are especially useful for queries that include conditionals and grouping, in order to reduce the number of groups in search results.

Syntax:

  • …| toLowerCase(string1) as string2
  • …| toUpperCase(string1) as string2

Rules:

  • An "as field" argument is required.
  • Non-string fields are not accepted.

Examples

Using toUpperCase with a conditional operator.

Use the following query to return all the _sourceHost matches in upper case letters.

_sourceCategory=service OR _sourceCategory=search 
| toUpperCase(_sourceHost) as _sourceHost 
| where _sourceHost matches "NITE*"

which provides results like:

Using toUpperCase with the Count operator:

This query also returns all _sourceHost matches in upper case letters, using a Count operator.

_sourceCategory=service OR _sourceCategory=search 
| toUpperCase(_sourceHost) as _sourceHost 
| count by _sourceHost

which produces results like:

Find a user name and convert it to lowercase.

This query will search a Source Category for a user name and convert it to lowercase, no matter how the name has been input.

_sourceCatgeory=web
| parse “user=* “ as usernname
| toLowerCase(username) as username
| where username matches “*joe smith*”