Refine your search:

Is there a way to make lookup NOT case sensitive

2

Let's say I have a lookup table that looks like this:

host,tmoapp somehost01,app01 somehost02,app01 anotherhost01,app02 anotherhost02,app02 ...

The issue is when a host field comes in from the agent as (say) 'SOMEHOST02'... That hostname will not get its tmoapp field correctly populated because the hostname case is wrong/different. What I would like is a way to do the lookup similar to 'grep -i' (i.e. case insensitive). Is this possible?

asked 08 Apr '10, 15:17

Jaci's gravatar image

Jaci ♦
8722217
accept rate: 75%

edited 01 Jul '11, 11:03

jlaw's gravatar image

jlaw ♦
20113

1

I have a related outstanding question: http://answers.splunk.com/questions/718/how-are-values-in-lookups-matched

(08 Apr '10, 15:49) gkanapathy ♦
3 Answers:
oldestnewestmost voted
1

Well, if your lookup is a script, you can of course explicitly smash case. You could also explicitly smash the case in eval. ...|eval host=lower(host) | lookup ...

However given that our text is searched in a case-insensitive fashion, it seems like supporting lokoops in an insensitive fashion should be possible, but I don't know if it currently is.

link

answered 08 Apr '10, 16:00

jrodman's gravatar image

jrodman ♦
5.8k2515
accept rate: 42%

6

In version 4.1.4, we provide an option to configure lookups to be case insensitive.

Sweet.

link

answered 11 Jun '10, 04:59

the_wolverine's gravatar image

the_wolverine ♦
4.3k5843
accept rate: 50%

edited 11 Jun '10, 13:37

That IS sweet!!

(11 Jun '10, 12:24) jeff

Transforms.conf, underneath the stanza defining your lookup, case_sensitive_match = false

(15 Sep '10, 18:26) Jason
3

What jrodman said is correct. Currently there is no ability to do case insensitive matching directly. You can either smash case in eval before calling the lookup operator, or use a scripted lookup where obviously you can do whatever type of matching you want.

link

answered 08 Apr '10, 17:52

steveyz's gravatar image

steveyz ♦
1.1k14
accept rate: 55%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×188
×163
×11

Asked: 08 Apr '10, 15:17

Seen: 1,501 times

Last updated: 01 Jul '11, 11:03

Related questions

Can I make field values case-sensitive?

How to make a search case-sensitive?

Are field values case sensitive?

are sourcetype names case-sensitive?

Case Sensitive?

case sensitive dedup?

case sensitive dedup?

GEOIP lookup script extracted field names are case sensitive (was: Doesnt work with 4.2.5)

Lost forwarder search case sensitive for host name

Copyright © 2005-2012 Splunk, Inc. All rights reserved.