https://community.splunk.com/t5/Splunk-Search/Changing-default-field-case-sensitivity/m-p/24740#M4588 <P>All,</P> <P>I'm wondering if there is a way to change my configuration files to ignore the capitalization of a field. For example, I would want <SAMP>myField</SAMP> and <SAMP>MyField</SAMP> to both show up if my search is something like:</P> <PRE>sourcetype="mysource" myField="SomeValue"</PRE> <P>I know there are workarounds for this (e.g. <SAMP>rename</SAMP> and evaluating into a new field), but I was wondering if there is any easier way to handle this case. Ideally, I could set this in a conf file.</P> <P>Thanks!</P> Mon, 05 Aug 2013 14:19:49 GMT bruceclarke 2013-08-05T14:19:49Z https://community.splunk.com/t5/Splunk-Search/Changing-default-field-case-sensitivity/m-p/24740#M4588 <P>All,</P> <P>I'm wondering if there is a way to change my configuration files to ignore the capitalization of a field. For example, I would want <SAMP>myField</SAMP> and <SAMP>MyField</SAMP> to both show up if my search is something like:</P> <PRE>sourcetype="mysource" myField="SomeValue"</PRE> <P>I know there are workarounds for this (e.g. <SAMP>rename</SAMP> and evaluating into a new field), but I was wondering if there is any easier way to handle this case. Ideally, I could set this in a conf file.</P> <P>Thanks!</P> Mon, 05 Aug 2013 14:19:49 GMT https://community.splunk.com/t5/Splunk-Search/Changing-default-field-case-sensitivity/m-p/24740#M4588 bruceclarke 2013-08-05T14:19:49Z https://community.splunk.com/t5/Splunk-Search/Changing-default-field-case-sensitivity/m-p/24741#M4589 <P>Hello,<BR /> Similar questions had been answered before. This may help you:</P> <P><A href="http://splunk-base.splunk.com/answers/59361/dealing-with-keyvalue-pairs-with-inconsistent-key-case">http://splunk-base.splunk.com/answers/59361/dealing-with-keyvalue-pairs-with-inconsistent-key-case</A></P> Mon, 05 Aug 2013 14:36:04 GMT https://community.splunk.com/t5/Splunk-Search/Changing-default-field-case-sensitivity/m-p/24741#M4589 linu1988 2013-08-05T14:36:04Z https://community.splunk.com/t5/Splunk-Search/Changing-default-field-case-sensitivity/m-p/24742#M4590 <P>Thanks for the post. I'll give the SED feature a shot.</P> Mon, 05 Aug 2013 15:02:32 GMT https://community.splunk.com/t5/Splunk-Search/Changing-default-field-case-sensitivity/m-p/24742#M4590 bruceclarke 2013-08-05T15:02:32Z https://community.splunk.com/t5/Splunk-Search/Changing-default-field-case-sensitivity/m-p/24743#M4591 <P>There is no facility in Splunk to ignore case sensitivity in field names, since they are meant to be used as labels, like in programming where each label is unique.</P> <P>You can, however set field aliases in the props.conf file in your sourcetype stanza</P> <P>FIELDALIAS-<CLASS> = <ORIG_FIELD_NAME> AS <NEW_FIELD_NAME></NEW_FIELD_NAME></ORIG_FIELD_NAME></CLASS></P> <P>so it would be something like this:<BR /> [accesslog]<BR /> EXTRACT-extract_ip = (?<IP>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})<BR /> FIELDALIAS-extract_ip = ip AS ipAddress</IP></P> <P>You might also want to take a look at this :<BR /> <A href="http://splunk-base.splunk.com/answers/9201/field-alias-for-all-indexed-data" target="_blank">http://splunk-base.splunk.com/answers/9201/field-alias-for-all-indexed-data</A></P> <P>You haven't said what you're trying to address exactly, but perhaps a combination of the two approaches would spark something for you...</P> Mon, 28 Sep 2020 14:30:11 GMT https://community.splunk.com/t5/Splunk-Search/Changing-default-field-case-sensitivity/m-p/24743#M4591 rsennett_splunk 2020-09-28T14:30:11Z