Some logs (e.g. Microsoft Azure) sometimes are not fully normalized to all lowercase characters. You can use Cribl to adjust those values by either use the eval or mask function:
Eval
_raw.toLowerCase()
https://docs.cribl.io/stream/eval-function/
"The Eval Function adds or removes fields from events. (In Splunk, these are index-time fields.)"
Mask
You can also use Cribls mask function to hit all fields:
Regex = (.*) <---- 1st Capturing Group (.*), see https://regex101.com/
g1.toLowerCase
https://docs.cribl.io/stream/mask-function/
"The Mask Function masks, or replaces, patterns in events. This is especially useful for redacting PII (personally identifiable information) and other sensitive data."
