Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Compare case-sensitivity of fields

tb5821
Communicator
‎03-24-2020 02:02 PM

I'm using a rex to extract a field called field1 from my search... how do I take all the results of field1 and call out if they match on case or not? ie 

_time   abc_123  
_time   ABC_123

_time   def_123
_time   def_123

first example I'd want to say there's a case diff while the second example is fine since the case's match

0 Karma
Reply

woodcock
Esteemed Legend
‎03-24-2020 04:56 PM

The easiest thing is to do this:

... | eval field1lower=lower(field1)
| stats values(field1) values(field1lower) dc(field1) dc(field1lower)

You can also use the ignore-case modifier (?i) for any RegEx.

0 Karma
Reply

to4kawa
Ultra Champion
‎03-24-2020 02:45 PM

try (?i) option

https://www.pcre.org/original/doc/html/pcrepattern.html#SEC13

0 Karma
Reply

tb5821
Communicator
‎03-24-2020 03:24 PM

sorry not the regex - I already got the field reguardless of case but now I need to compare them ....

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...