Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

is the index field in inputs.conf case sensitive?

rjk123
Explorer
‎08-27-2020 04:12 AM

I have an example where logs are not shown in splunk search, and I can see the index name in the inputs file has mixed case, but the actual index name is all lower case. Will this the cause the logs to not get ingested?

I also note the sourcetype case is wrong too, so are any/all these fields case sensitive?

actual index name: "target_index"

 

[monitor:///file/path/logfile.log]
index = Target_Index
sourcetype = mBAS_log
disabled = false

Thanks for the help.

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rjk123
Explorer
‎08-27-2020 05:13 AM

Don't worry, I think I found it.

I can see other logs configured in inputs.conf with the same case, and these show up okay in splunk.

Answer = NOT case sensitive.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rjk123
Explorer
‎08-27-2020 05:13 AM

Don't worry, I think I found it.

I can see other logs configured in inputs.conf with the same case, and these show up okay in splunk.

Answer = NOT case sensitive.

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-27-2020 06:37 AM

What we had found is that at least older versions of splunk handling sometimes index names as case sensitive and sometimes not. For that reason I propose that never mix the cases on index names.

We e.g. have seen this kind of names on SPLUNK_DB dir:

  • aaa_aaa/thaweddb
  • Aaa_Aaa/db
  • AAA_AAA.dat

Couldn't check which one in which context but all those are generated from one [Aaa_AAA] etc. entry! I don't recall that we have had any functional issues with this, but as soon as we realised this we change the naming to contains only lower case letters, "_" and numbers on index names.

r. Ismo

Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...