Getting Data In

Can case_sensitive_match be applied globally?

cdoebert
Path Finder

Is there a "one-shot" way to make all current lookups case-insensitive and ensure future ones are, too?

[default]
case_sensitive_match = 0

... in a /local/transforms.conf seems like the easiest way to do that, but is case_sensitive_match a global variable? If not, is there another way to accomplish this without modifying all lookups individually now and at creation time?

codebuilder
Influencer

If you set case_sensitive_match = false in the [default] stanza of $SPLUNK_HOME/etc/system/local/transforms.conf then yes, it will become global.

The system local directory has the highest precedence and will override settings encountered elsewhere (app default, app local, etc).

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

skoelpin
SplunkTrust
SplunkTrust

A thought here.. You could create a macro which "normalizes" all your data. You then pass that macro in your query like this

index=.. sourcetype=..
| `normalize_macro`
| lookup .. 
0 Karma

somesoni2
Revered Legend

The case_sensitive_match attribute is NOT a global attribute. I don't see any easy way to set it up for all existing lookup definitions but if you're on Splunk 6.5 and above, you get the checkbox to enable/disable this while creating the lookup transform from Splunk Web UI.

cdoebert
Path Finder

That's what I was afraid of; no way to override the global default. Thank you!

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...