Getting Data In
Highlighted

are sourcetype names case-sensitive?

Contributor

Yet another case-sensitivity question: are sourcetype names case-sensitive?

0 Karma
Highlighted

Re: are sourcetype names case-sensitive?

Path Finder

You can try this yourself 🙂

sourcetype="wineventlog:security"

instead of

sourcetype="WinEventLog:Security"

both work, so I'm assuming its not case sensitive

Highlighted

Re: are sourcetype names case-sensitive?

SplunkTrust
SplunkTrust

In search, no they are not. Note that this is very similar to the more general question:

http://answers.splunk.com/questions/65/are-field-values-case-sensitive

See my answer there. I go into a little more detail there which you might find interesting.

View solution in original post

Highlighted

Re: are sourcetype names case-sensitive?

Splunk Employee
Splunk Employee

Well...in props.conf I think they will be (unless you express the stanza like: [::(?i)mYSourCeTypeName]. In thesearchcommand (which is implicit at the start of a query) they won't be, but forwherecomparisons in search queries,stats` values, etc., they will be.

It's not whether the names themselves are case-sensitive. It's whether whatever you're doing at the time is sensitive to the case of the names. It's more accurate to say that Splunk is case-sensitive in most places where you'd use a sourcetype name, and that the search command is actually an exception.

0 Karma