Re: Can case_sensitive_match be applied globally?

cdoebert · ‎04-24-2019

Is there a "one-shot" way to make all current lookups case-insensitive and ensure future ones are, too?

[default]
case_sensitive_match = 0

... in a /local/transforms.conf seems like the easiest way to do that, but is case_sensitive_match a global variable? If not, is there another way to accomplish this without modifying all lookups individually now and at creation time?

codebuilder · ‎04-30-2019

If you set case_sensitive_match = false in the [default] stanza of $SPLUNK_HOME/etc/system/local/transforms.conf then yes, it will become global.

The system local directory has the highest precedence and will override settings encountered elsewhere (app default, app local, etc).

----
An upvote would be appreciated and Accept Solution if it helps!

skoelpin · ‎04-29-2019

A thought here.. You could create a macro which "normalizes" all your data. You then pass that macro in your query like this

index=.. sourcetype=..
| `normalize_macro`
| lookup ..

somesoni2 · ‎04-25-2019

The case_sensitive_match attribute is NOT a global attribute. I don't see any easy way to set it up for all existing lookup definitions but if you're on Splunk 6.5 and above, you get the checkbox to enable/disable this while creating the lookup transform from Splunk Web UI.

cdoebert · ‎04-25-2019

That's what I was afraid of; no way to override the global default. Thank you!

Can case_sensitive_match be applied globally?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation