Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

is the index field in inputs.conf case sensitive?

rjk123
Explorer
‎08-27-2020 04:12 AM

I have an example where logs are not shown in splunk search, and I can see the index name in the inputs file has mixed case, but the actual index name is all lower case. Will this the cause the logs to not get ingested?

I also note the sourcetype case is wrong too, so are any/all these fields case sensitive?

actual index name: "target_index"

 

[monitor:///file/path/logfile.log]
index = Target_Index
sourcetype = mBAS_log
disabled = false

Thanks for the help.

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rjk123
Explorer
‎08-27-2020 05:13 AM

Don't worry, I think I found it.

I can see other logs configured in inputs.conf with the same case, and these show up okay in splunk.

Answer = NOT case sensitive.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rjk123
Explorer
‎08-27-2020 05:13 AM

Don't worry, I think I found it.

I can see other logs configured in inputs.conf with the same case, and these show up okay in splunk.

Answer = NOT case sensitive.

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-27-2020 06:37 AM

What we had found is that at least older versions of splunk handling sometimes index names as case sensitive and sometimes not. For that reason I propose that never mix the cases on index names.

We e.g. have seen this kind of names on SPLUNK_DB dir:

  • aaa_aaa/thaweddb
  • Aaa_Aaa/db
  • AAA_AAA.dat

Couldn't check which one in which context but all those are generated from one [Aaa_AAA] etc. entry! I don't recall that we have had any functional issues with this, but as soon as we realised this we change the naming to contains only lower case letters, "_" and numbers on index names.

r. Ismo

Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
Top