Getting Data In

Can case_sensitive_match be applied globally?

cdoebert
Path Finder

Is there a "one-shot" way to make all current lookups case-insensitive and ensure future ones are, too?

[default]
case_sensitive_match = 0

... in a /local/transforms.conf seems like the easiest way to do that, but is case_sensitive_match a global variable? If not, is there another way to accomplish this without modifying all lookups individually now and at creation time?

codebuilder
SplunkTrust
SplunkTrust

If you set case_sensitive_match = false in the [default] stanza of $SPLUNK_HOME/etc/system/local/transforms.conf then yes, it will become global.

The system local directory has the highest precedence and will override settings encountered elsewhere (app default, app local, etc).

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

skoelpin
SplunkTrust
SplunkTrust

A thought here.. You could create a macro which "normalizes" all your data. You then pass that macro in your query like this

index=.. sourcetype=..
| `normalize_macro`
| lookup .. 
0 Karma

somesoni2
Revered Legend

The case_sensitive_match attribute is NOT a global attribute. I don't see any easy way to set it up for all existing lookup definitions but if you're on Splunk 6.5 and above, you get the checkbox to enable/disable this while creating the lookup transform from Splunk Web UI.

cdoebert
Path Finder

That's what I was afraid of; no way to override the global default. Thank you!

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...