Can case_sensitive_match be applied globally?

cdoebert · ‎04-24-2019

Is there a "one-shot" way to make all current lookups case-insensitive and ensure future ones are, too?

[default]
case_sensitive_match = 0

... in a /local/transforms.conf seems like the easiest way to do that, but is case_sensitive_match a global variable? If not, is there another way to accomplish this without modifying all lookups individually now and at creation time?

codebuilder · ‎04-30-2019

If you set case_sensitive_match = false in the [default] stanza of $SPLUNK_HOME/etc/system/local/transforms.conf then yes, it will become global.

The system local directory has the highest precedence and will override settings encountered elsewhere (app default, app local, etc).

----
An upvote would be appreciated and Accept Solution if it helps!

skoelpin · ‎04-29-2019

A thought here.. You could create a macro which "normalizes" all your data. You then pass that macro in your query like this

index=.. sourcetype=..
| `normalize_macro`
| lookup ..

somesoni2 · ‎04-25-2019

The case_sensitive_match attribute is NOT a global attribute. I don't see any easy way to set it up for all existing lookup definitions but if you're on Splunk 6.5 and above, you get the checkbox to enable/disable this while creating the lookup transform from Splunk Web UI.

cdoebert · ‎04-25-2019

That's what I was afraid of; no way to override the global default. Thank you!

Can case_sensitive_match be applied globally?

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup