Refine your search:

Can I make field values case-sensitive?

3

Is there a way to enforce case-sensitivity on a field by field basis?

Example:

myid="0ZP0YFS5Rl7pACDD1K002"

and

myid="0ZP0YFS5Rl7pACDD1k002"

where the lower-case k at the far right of the value makes these two field values different.

asked 09 Jun '10, 19:49

maverick's gravatar image

maverick ♦
2.6k6574
accept rate: 14%

edited 08 Jun '11, 17:27

jlaw's gravatar image

jlaw ♦
20113
3 Answers:
oldestnewestmost voted
4

You can use the where command to enforce case sensitivity:

sourcetype=whatever | where myid="0ZP0YFS5Rl7pACDD1K002"
link

answered 09 Jun '10, 20:16

ziegfried's gravatar image

ziegfried ♦
7.1k1315
accept rate: 53%

1

You should instead code the above as: sourcetype=whatever myid="0ZP0YFS5Rl7pACDD1K002" | where myid="0ZP0YFS5Rl7pACDD1K002". If you do not do so, the search will likely be much less efficient, as it will need to bring back everything from the sourcetype without taking advantage of the index, then filter it with where. Instead, bring back only the items that match, regardless of case. This should be a much smaller set and efficiently retrieved via the index, and you then are simply filtering out on a much smaller set.

(08 Sep '10, 17:40) gkanapathy ♦
2

values do not have case-sensitivity. operations on values may have sensitivity to the case of the values. there is no global way to make every possible operation and function in Splunk case-insensitive, and besides "search", most are case-sensitive. You can of course always normalize most values using the "upper()" or "lower()" eval functions, but (for example) this can't be applied to match values in lookup tables.

link

answered 10 Jun '10, 11:54

gkanapathy's gravatar image

gkanapathy ♦
26.3k1622
accept rate: 42%

0

Another options is to use the regex command. In general, the where option mentioned by Siegfried seems like the best for your specific usage scenario, but regex would be more flexible when:

  1. Trying to case-sensitively match text within the raw event (e.g. if a specific field is not already defined)
  2. Trying to match part of a field (because wildcard expansion does not work with the where command, so you can't do | where myid="*pACDD1K002" to case-sensitively match a suffix.)

Matching part of a raw event:

sourcetype=whatever 0ZP0YFS5Rl7pACDD1K002 | regex _raw="\b0ZP0YFS5Rl7pACDD1K002\b"

A partial-field matching example:

sourcetype=whatever myid="*pACDD1K002" | regex myid=".*pACDD1K002$"
link

answered 11 Jun '10, 17:44

Lowell's gravatar image

Lowell ♦
9.6k637
accept rate: 40%

edited 08 Sep '10, 18:33

1

Please ensure that you include enough of the text search string in the base query to ensure that the search is efficiently using the index, e.g., sourcetype=whatever "0ZP0YFS5Rl7pACDD1K002" | regex _raw="\b0ZP0YFS5Rl7pACDD1K002\b" should be a much faster search.

(08 Sep '10, 17:41) gkanapathy ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×165
×18
×11

Asked: 09 Jun '10, 19:49

Seen: 1,695 times

Last updated: 08 Jun '11, 17:27

Related questions

Are field values case sensitive?

Is there a way to make lookup NOT case sensitive

How to make a search case-sensitive?

are sourcetype names case-sensitive?

Case Sensitive?

case sensitive dedup?

case sensitive dedup?

Lost forwarder search case sensitive for host name

GEOIP lookup script extracted field names are case sensitive (was: Doesnt work with 4.2.5)

Copyright © 2005-2012 Splunk, Inc. All rights reserved.