I occasionally use Splunk as part of my job to research issues, but am very much a novice. The query below charts the stored procedures and maps their average run times (and it works).
index=X sourcetype IN Y source IN Z
| spath "TotalDuration"
| search "TotalDuration"="*"
| chart avg(TotalDuration) as average over ProcName
The issue I'm running into is that the procs may be called with slight variations, such as:
sp_DoAThing
sp_doathing
[sp_doathing]
What I'd like to do is ignore case and remove brackets, so that all three of the examples above return as one proc with one average duration, instead of three. It says I don't have enough karma points to post links so I can't share the similar questions I've read through, but the answers I've seen (for ignoring case) seem as simple as,
| eval ProcName = lower(ProcName)
but I have tried that in many locations and many variations and cannot get it to work. Any help would be greatly appreciated.
↧