Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

is the index field in inputs.conf case sensitive?

rjk123
Explorer
‎08-27-2020 04:12 AM

I have an example where logs are not shown in splunk search, and I can see the index name in the inputs file has mixed case, but the actual index name is all lower case. Will this the cause the logs to not get ingested?

I also note the sourcetype case is wrong too, so are any/all these fields case sensitive?

actual index name: "target_index"

 

[monitor:///file/path/logfile.log]
index = Target_Index
sourcetype = mBAS_log
disabled = false

Thanks for the help.

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rjk123
Explorer
‎08-27-2020 05:13 AM

Don't worry, I think I found it.

I can see other logs configured in inputs.conf with the same case, and these show up okay in splunk.

Answer = NOT case sensitive.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rjk123
Explorer
‎08-27-2020 05:13 AM

Don't worry, I think I found it.

I can see other logs configured in inputs.conf with the same case, and these show up okay in splunk.

Answer = NOT case sensitive.

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-27-2020 06:37 AM

What we had found is that at least older versions of splunk handling sometimes index names as case sensitive and sometimes not. For that reason I propose that never mix the cases on index names.

We e.g. have seen this kind of names on SPLUNK_DB dir:

  • aaa_aaa/thaweddb
  • Aaa_Aaa/db
  • AAA_AAA.dat

Couldn't check which one in which context but all those are generated from one [Aaa_AAA] etc. entry! I don't recall that we have had any functional issues with this, but as soon as we realised this we change the naming to contains only lower case letters, "_" and numbers on index names.

r. Ismo

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...