topic Re: Splunk Case-Sensitive Search in Splunk Search

Splunk Case-Sensitive Search

mkarimi — Thu, 08 May 2014 19:50:01 GMT

I have some data that comes in with different values and need to point them out. For example, the data can look like:

refRepId=36
OR
refrepid=125
or
refRepid=1245

1) for the first part, i need to look up anything that isn't refRepID. so i ran

mysearch NOT CASE(refRepID)

but that didn't seem to do anything. and i tried by running

mysearch CASE(refrepid) OR CASE(refRepid)

and those didn't do anyything either. (please keep in mind that refRepid and refrepid are not the only cases and there could be refrepID, rEfrepID, etc.)

2) for the second part, Here are the rules which I’m trying to achieve:
1. All refRepId values
2. Of any case, EXCEPT for the exact casing “refRepId”
3. Which are not null -> some might have refrepid= OR refrepid=somecharacters.

P.S. my search needs to contain the phrase refrepid to narrow down the search. so in reality mysearch="index=xx sourcetype=yy refrepid"

Re: Splunk Case-Sensitive Search

BenjaminWyatt — Thu, 08 May 2014 19:56:32 GMT

Hmmm...what about something like...

mysearch NOT refRepId=* (refrepid=* OR refRepid=*)

It's not the most elegant solution, but you will filter out all the values with the casing you don't want, and enforce that the two casings you do want have values in them.

Re: Splunk Case-Sensitive Search

mkarimi — Thu, 08 May 2014 20:00:27 GMT

well you can't do = just like that right?

Error in 'search' command: Unable to parse the search: Comparator '=' is missing a term on the right hand side.

also that won't work because it needs to be case-insensitive. Splunk thinks about all of those in the same manner

Re: Splunk Case-Sensitive Search

mkarimi — Thu, 08 May 2014 20:05:14 GMT

p.s. my search needs to contain the phrase refrepid to narrow down the search. so in reality mysearch="index=xx sourcetype=yy refrepid"

Re: Splunk Case-Sensitive Search

somesoni2 — Thu, 08 May 2014 21:19:39 GMT

try this

index=xx sourcetype=yy refrepid NOT (refRepID=*)

Re: Splunk Case-Sensitive Search

BenjaminWyatt — Thu, 08 May 2014 21:20:53 GMT

Oh, whoops, formatting error. What I meant to type was:

mysearch NOT refRepId=* (refrepid=* OR refRepid=*)

I'm not sure I understand it needing to be case-insensitive. Field names are case-sensitive in the search string...

Re: Splunk Case-Sensitive Search

martin_mueller — Thu, 08 May 2014 21:24:13 GMT

Here's what I'd try:

1) look up anything except one particular case:

index=xx sourcetype=yy refrepid | regex _raw!="refRepID="

The search will load everything, and the regex will throw out the one case you don't want to see.

2) get all the values of any case except one particular case:

index=xx sourcetype=yy refrepid | regex _raw!="refRepID=" | rex "(?i)refrepid=(?<insensitive_refredpid>\d+)"

Same as #1, except with an added extraction that ignores the case of the key before the equals sign and treats them all equally.

Re: Splunk Case-Sensitive Search

mkarimi — Fri, 09 May 2014 13:34:11 GMT

thanks man. I forgot there is a difference between rex and regex.