Is there a "one-shot" way to make all current lookups case-insensitive and ensure future ones are, too?
[default]
case_sensitive_match = 0
... in a /local/transforms.conf seems like the easiest way to do that, but is case_sensitive_match a global variable? If not, is there another way to accomplish this without modifying all lookups individually now and at creation time?
If you set case_sensitive_match = false in the [default] stanza of $SPLUNK_HOME/etc/system/local/transforms.conf then yes, it will become global.
The system local directory has the highest precedence and will override settings encountered elsewhere (app default, app local, etc).
A thought here.. You could create a macro which "normalizes" all your data. You then pass that macro in your query like this
index=.. sourcetype=..
| `normalize_macro`
| lookup ..
The case_sensitive_match attribute is NOT a global attribute. I don't see any easy way to set it up for all existing lookup definitions but if you're on Splunk 6.5 and above, you get the checkbox to enable/disable this while creating the lookup transform from Splunk Web UI.
That's what I was afraid of; no way to override the global default. Thank you!