Yet another case-sensitivity question: are sourcetype names case-sensitive?
In search, no they are not. Note that this is very similar to the more general question:
http://answers.splunk.com/questions/65/are-field-values-case-sensitive
See my answer there. I go into a little more detail there which you might find interesting.
sourcetype in props.conf in case-senstive
[MySourcetype] is different from [mysourcetype]
From Splunk Documentation (pros.conf)
By default, [source::<source>] and [<sourcetype>] stanzas match in a case-sensitive manner, while [host::<host>] stanzas match in a case-insensitive manner. This is a convenient default, given that DNS names are case-insensitive.
Well...in props.conf
I think they will be (unless you express the stanza like: [::(?i)mYSourCeTypeName]. In the
searchcommand (which is implicit at the start of a query) they won't be, but for
wherecomparisons in search queries,
stats` values, etc., they will be.
It's not whether the names themselves are case-sensitive. It's whether whatever you're doing at the time is sensitive to the case of the names. It's more accurate to say that Splunk is case-sensitive in most places where you'd use a sourcetype name, and that the search
command is actually an exception.
In search, no they are not. Note that this is very similar to the more general question:
http://answers.splunk.com/questions/65/are-field-values-case-sensitive
See my answer there. I go into a little more detail there which you might find interesting.
You can try this yourself 🙂
sourcetype="wineventlog:security"
instead of
sourcetype="WinEventLog:Security"
both work, so I'm assuming its not case sensitive
This is not my experience.
index=* sourcetype=Xmlwineventlog | stats count by sourcetype
returns stats for sourcetype XmlWinEventLog
index=* sourcetype=xmlwineventlog | stats count by sourcetype
returns stats for sourcetype XmlWinEventLog and sourcetype xmlwineventlog.
I agree on the XmlWinEventLog vs xmlwineventlog. Splunk has something here that is not "normal" behavior.