case insensitive search in inputlookup from a KV s...

TomWhite · ‎12-01-2020

We are currently using an inputlookup command to populate a list based on some wild card searches using input tokens from a KV store lookup with customer details like below

| inputlookup $site$-patrondetails WHERE FirstName=$firstname|s$
patron = $patron_id|s$
LastName = $patron_surname|s$
ResAddr = $patron_address|s$
MobilePhone = $patron_mobile|s$

where the token values are based on the value the user types into an input text box and the site token is a drop down value.

until recently we havinputlookup e had 2 sites where all the data in the source system is stored in uppercase but we have recently onboarded a 3rd site where the data is stored in both upper and lower case values. as it turns out the where clause in is case sensitive.

I have tried adding case_sensitive_match = false to the transform.conf stanza for this patrondetails lookup definition but this has not seemed to have any effect on the results being returned from the search. Have I missed something with this config or is there something else I need to add

Any help would be appreciated,

Tom

tomasmoser · ‎07-09-2021

Same issue here.

tmoser · ‎04-18-2025

KV Store supports only case sensitive content:
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/DefineaKVStorelookupinSplunkWeb

Tomas

tmoser · ‎04-18-2025

Looks like I was not completely true. It's more complicated. But there is a way:

From transforms.conf.spec file:

NOTE: For KV Store lookups, a setting of 'case_sensitive_match=false' is honored only when the data in the KV Store lookup table is entirely in lower case. The input data can be in any case.

Context:

case_sensitive_match = <boolean>
* If set to true, Splunk software performs case sensitive matching for all
  fields in a lookup table.
* If set to false, Splunk software performs case insensitive matching for all
  fields in a lookup table.
* NOTE: For KV Store lookups, a setting of 'case_sensitive_match=false' is
  honored only when the data in the KV Store lookup table is entirely in lower
  case. The input data can be in any case.
* For case sensitive field matching in reverse lookups see
  reverse_lookup_honor_case_sensitive_match.
* Default: true

dschroeter · ‎03-04-2021

Me too. I also set case_sensitive_match = false.

As written in the documentation, I changed the values to lower ones in the KV Store. An exact match is working, but also when all values are lower ones in KV store i cannot use an Upper value to search for.

| inputlookup XXX where field=value does not work case insensitive

| inputlookup XXX | search field=value does work case insensitive

So it seems to be a bug in where

TomWhite · ‎03-04-2021

unfortunately the lookup I'm searching has 5 million rows and 25ish columns so Loading the whole lookup is not a practical solution

dominikatvastli · ‎02-08-2021

@TomWhiteI'm facing the same problem. Have you ever found a resolution for this?

case insensitive search in inputlookup from a KV store

configuration

development

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Splunk Observability for AI

Join the Conversation