https://community.splunk.com/t5/Splunk-Search/CASE-search-option-produces-no-results/m-p/166712#M47454 <P>In my understanding, CASE does case-sensitive match for the a term/field values, which means it does a match for a complete word. So CASE(Exception) will match 'Exception' or 'Test.Exception.foo' but not 'OracleException' . _raw="<EM>Exception</EM>" will match a portion of a term as well hence you're getting results there. Check if Exception is a complete word/term in your logs.</P> Wed, 26 Feb 2014 17:49:22 GMT somesoni2 2014-02-26T17:49:22Z https://community.splunk.com/t5/Splunk-Search/CASE-search-option-produces-no-results/m-p/166710#M47452 <P>While using the CASE() feature of the search command (as per <A href="http://docs.splunk.com/Documentation/Splunk/6.0.2/Search/Usethesearchcommand#Use_CASE.28.29_and_TERM.28.29_to_match_phrases">http://docs.splunk.com/Documentation/Splunk/6.0.2/Search/Usethesearchcommand#Use_CASE.28.29_and_TERM.28.29_to_match_phrases</A>) I'm seeing no events produced but there should be.</P> <P>Example:</P> <PRE><CODE>earliest=@h-15min latest=@h index=index1 OR index=index2 _raw="*Exception*" </CODE></PRE> <P>produces results.</P> <PRE><CODE>earliest=@h-15min latest=@h index=index1 OR index=index2 CASE(Exception) </CODE></PRE> <P>produces NO results.</P> <P>This seems to ONLY happen while using the string "Exception". Other strings within the CASE() function are working as expected. </P> <P>This is on Splunk 6.0.2.</P> <P>Anyone seen this before?</P> Wed, 26 Feb 2014 16:33:16 GMT https://community.splunk.com/t5/Splunk-Search/CASE-search-option-produces-no-results/m-p/166710#M47452 sloshburch 2014-02-26T16:33:16Z https://community.splunk.com/t5/Splunk-Search/CASE-search-option-produces-no-results/m-p/166711#M47453 <P>Is Exception surrounded by major breakers?</P> Wed, 26 Feb 2014 17:36:30 GMT https://community.splunk.com/t5/Splunk-Search/CASE-search-option-produces-no-results/m-p/166711#M47453 lukejadamec 2014-02-26T17:36:30Z https://community.splunk.com/t5/Splunk-Search/CASE-search-option-produces-no-results/m-p/166712#M47454 <P>In my understanding, CASE does case-sensitive match for the a term/field values, which means it does a match for a complete word. So CASE(Exception) will match 'Exception' or 'Test.Exception.foo' but not 'OracleException' . _raw="<EM>Exception</EM>" will match a portion of a term as well hence you're getting results there. Check if Exception is a complete word/term in your logs.</P> Wed, 26 Feb 2014 17:49:22 GMT https://community.splunk.com/t5/Splunk-Search/CASE-search-option-produces-no-results/m-p/166712#M47454 somesoni2 2014-02-26T17:49:22Z https://community.splunk.com/t5/Splunk-Search/CASE-search-option-produces-no-results/m-p/166713#M47455 <P>It's found preceded by letters org.something.somethingelse.somethingother.TypeOfException ending with a space or a :</P> Wed, 26 Feb 2014 17:49:37 GMT https://community.splunk.com/t5/Splunk-Search/CASE-search-option-produces-no-results/m-p/166713#M47455 sloshburch 2014-02-26T17:49:37Z https://community.splunk.com/t5/Splunk-Search/CASE-search-option-produces-no-results/m-p/166714#M47456 <P>That is not going to work with case. Read the bottom of the link you posted to see why. Or - what somesoni2 said.</P> Wed, 26 Feb 2014 17:50:56 GMT https://community.splunk.com/t5/Splunk-Search/CASE-search-option-produces-no-results/m-p/166714#M47456 lukejadamec 2014-02-26T17:50:56Z https://community.splunk.com/t5/Splunk-Search/CASE-search-option-produces-no-results/m-p/166715#M47457 <P>You might try TypeOfException</P> Wed, 26 Feb 2014 17:51:58 GMT https://community.splunk.com/t5/Splunk-Search/CASE-search-option-produces-no-results/m-p/166715#M47457 lukejadamec 2014-02-26T17:51:58Z https://community.splunk.com/t5/Splunk-Search/CASE-search-option-produces-no-results/m-p/166716#M47458 <P>Or use CASE(*Exception*). this will work same as _raw="*Exception*", just it will be case-sensitive.</P> Wed, 26 Feb 2014 17:54:24 GMT https://community.splunk.com/t5/Splunk-Search/CASE-search-option-produces-no-results/m-p/166716#M47458 somesoni2 2014-02-26T17:54:24Z https://community.splunk.com/t5/Splunk-Search/CASE-search-option-produces-no-results/m-p/166717#M47459 <P>Thank you somesoni2 - I didn't realize it had that complete-word restriction. I also thought I had previously tried wildcards with no luck. I now see wildcards work.</P> <P>Thanks everyone!</P> Wed, 26 Feb 2014 22:31:30 GMT https://community.splunk.com/t5/Splunk-Search/CASE-search-option-produces-no-results/m-p/166717#M47459 sloshburch 2014-02-26T22:31:30Z https://community.splunk.com/t5/Splunk-Search/CASE-search-option-produces-no-results/m-p/166718#M47460 <P>See somesoni2's comment for the answer to this question.</P> Wed, 26 Feb 2014 22:31:58 GMT https://community.splunk.com/t5/Splunk-Search/CASE-search-option-produces-no-results/m-p/166718#M47460 sloshburch 2014-02-26T22:31:58Z