topic Re: Field Values Case Sensitve in Splunk Search

Field Values Case Sensitve

tmarlette — Wed, 05 Jul 2017 18:12:14 GMT

I have a lookup table, with an ID field that has case specific alphanumeric values in it.

I'm attempting to search for a single user id, however when I put one in, I see at least two results for each, due to splunk seeing the values as case insensitive.

Here is an image.

You'll notice the last letter's being of different case, yet even when using " around the field values, I still get this result set. Is there something that I am missing?

Re: Field Values Case Sensitve

guilmxm — Wed, 05 Jul 2017 18:34:07 GMT

Hi,

Searching for fields values is not case sensitive, use the "where" command (in your case with the same syntax) or CASE():

|  makeresults |  eval foo="bar Bar" |  makemv foo | mvexpand foo
|  where foo=bar

or:

|  makeresults |  eval foo="bar Bar" |  makemv foo | mvexpand foo
|  search foo=CASE(bar)

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference

Cheers,

Re: Field Values Case Sensitve

somesoni2 — Wed, 05 Jul 2017 19:37:00 GMT

Use | where instead of | search.

Re: Field Values Case Sensitve

woodcock — Wed, 05 Jul 2017 23:15:31 GMT

Try this:

| inputlookup xxx.csv | regex USER_ID="05000xpmX"

Re: Field Values Case Sensitve

sbbadri — Wed, 05 Jul 2017 23:15:32 GMT

| inputlookup xxx.csv | eval USER_ID=case(05000xpmX)

Re: Field Values Case Sensitve

tmarlette — Thu, 06 Jul 2017 17:06:21 GMT

I tried this, and it doesn't work, Thank you!

Re: Field Values Case Sensitve

DalJeanis — Thu, 06 Jul 2017 18:12:50 GMT

Nice. I wouldn't have thought of regex as a solution. Works, as long as the user id does not have special characters that translate differently in regex-land, in which case they need to be escaped.

Re: Field Values Case Sensitve

tmarlette — Fri, 07 Jul 2017 16:30:41 GMT

This works for an individual user id, but how would I make an automatic lookup case sensitive? Is there a way?

Re: Field Values Case Sensitve

guilmxm — Tue, 11 Jul 2017 10:38:42 GMT

This works for any number of users ID, just use booleans as usually:

|  where foo=bar OR foo=bar2

OR:

|  search foo=CASE(bar) OR foo=CASE(bar2)

The search command will always be case non sensitive, whenever the fields comes an automatic lookup.
The only difference with automatic lookup fields will be the the field name (not the field value) will be case sensitive if it comes from a lookup. (while it is not the case with a raw data field)

Guilhem

Re: Field Values Case Sensitve

tmarlette — Wed, 12 Jul 2017 16:21:54 GMT

The answer I was looking for was to use an automatic lookup and force case sensitive matching. I'm sure I worded the question poorly, and this is what the working config looks like:

props.conf

[mysourcetype]
LOOKUP-SFDC-USER_NAME1 = lookup_usernames USER_ID AS USER_ID

transforms.conf

[lookup_usernames]
filename = lookup_usernames.csv
case_sensitive_match=true

The way to search a table for a specific username is accepted above.

Re: Field Values Case Sensitve

tmarlette — Wed, 12 Jul 2017 16:22:29 GMT

This worked, thank you!