Solved: is the index field in inputs.conf case sensitive?

rjk123 · ‎08-27-2020

I have an example where logs are not shown in splunk search, and I can see the index name in the inputs file has mixed case, but the actual index name is all lower case. Will this the cause the logs to not get ingested?

I also note the sourcetype case is wrong too, so are any/all these fields case sensitive?

actual index name: "target_index"

[monitor:///file/path/logfile.log]
index = Target_Index
sourcetype = mBAS_log
disabled = false

Thanks for the help.

rjk123 · ‎08-27-2020

Don't worry, I think I found it.

I can see other logs configured in inputs.conf with the same case, and these show up okay in splunk.

Answer = NOT case sensitive.

View solution in original post

rjk123 · ‎08-27-2020

Don't worry, I think I found it.

I can see other logs configured in inputs.conf with the same case, and these show up okay in splunk.

Answer = NOT case sensitive.

isoutamo · ‎08-27-2020

What we had found is that at least older versions of splunk handling sometimes index names as case sensitive and sometimes not. For that reason I propose that never mix the cases on index names.

We e.g. have seen this kind of names on SPLUNK_DB dir:

aaa_aaa/thaweddb
Aaa_Aaa/db
AAA_AAA.dat

Couldn't check which one in which context but all those are generated from one [Aaa_AAA] etc. entry! I don't recall that we have had any functional issues with this, but as soon as we realised this we change the naming to contains only lower case letters, "_" and numbers on index names.

r. Ismo

is the index field in inputs.conf case sensitive?

index

inputs.conf

universal forwarder

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms