Refine your search:

Are field values case sensitive?

6

Are field values case sensitive? Is this behavior the same in 3.x and 4.x versions of Splunk?

asked 14 Jan '10, 19:34

araitz's gravatar image

araitz ♦♦
7.2k2516
accept rate: 38%

edited 07 Sep '11, 13:27

jlaw's gravatar image

jlaw ♦
20113
3 Answers:
oldestnewestmost voted
2

each search operator is allowed to treat field value case sensitivity as it sees fit. 

search is case insensitive 
stats is case sensitive 
sort is case sensitive
link

answered 14 Jan '10, 20:12

Ledion%20Bitincka's gravatar image

Ledion Bitincka ♦
1.5k36
accept rate: 35%

1

Field values are not case sensitive. When searching for plain text tokens like foo, and phrase searches like "foo bar", these are are not case sensitive either.

On the other hand field names are always case sensitive, in the search command and in other commands.

eg if you have a field extracted as 'myfield', searching for myfield="bar" will work, whereas myField="bar" will not.

As far as other commands besides search, arguments and values are generally case sensitive and my advice is to assume that they are until proven otherwise.

I believe this picture was the same back in 3.X but im not positive.

link

answered 24 Apr '10, 00:15

nick's gravatar image

nick ♦
14.2k1318
accept rate: 46%

edited 08 May '10, 19:31

0

Also, by default, values in lookup tables are case sensitive but you can change them to be case insensitive in transforms.conf.

Check out transforms.conf.spec in $SPLUNK_HOME/etc/system/README

case_sensitive_match = <bool> If set to false, case insensitive matching will be performed for all fields in a lookup table Defaults to true (case sensitive matching)

link

answered 08 Sep '11, 15:28

khodges_splunk's gravatar image

khodges_splunk
261
accept rate: 20%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×354
×335
×166
×11

Asked: 14 Jan '10, 19:34

Seen: 1,800 times

Last updated: 08 Sep '11, 15:28

Related questions

Can I make field values case-sensitive?

How to stop automatic field extraction from creating separate fields for each case variant on the same field name

Case insensitive field extraction and reporting

are search language *keywords* case-sensitive?

How to make a search case-sensitive?

Is there a way to make lookup NOT case sensitive

GEOIP lookup script extracted field names are case sensitive (was: Doesnt work with 4.2.5)

Lost forwarder search case sensitive for host name

are sourcetype names case-sensitive?

Copyright © 2005-2012 Splunk, Inc. All rights reserved.