Splunk Enterprise

Uppercase, Lowercase confusion in Splunk commands

jotne
Communicator

Is there any reason that there are some command parameters that needs uppercase to work and some can use both lower and uppercase?

Eks both of this does work

| timechart count by index

| timechart count BY index

Same with these, works fine.

| lookup dnslookup clientip as src_ip

| lookup dnslookup clientip AS src_ip

But this fails

index in (test1 test2)

Needs to be uppercase

index IN (test1 test2)

 

This fails

cat or dog

Needs to be uppercase

cat OR dog

Where do I find a list and regulation on when to use upper/Lowercase (IN OR AND BY AS etc)?

Labels (1)
0 Karma
1 Solution

manjunathmeti
SplunkTrust
SplunkTrust

Usually, you find this info in notes under each documentation about commands/operators.

Example you can check this link: https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Search/Booleanexpressions

Here the document says: The operators must be capitalized.

It is best to use capital letters for all clauses like AS, BY, IN and operators (OR, AND, NOT).

View solution in original post

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Usually, you find this info in notes under each documentation about commands/operators.

Example you can check this link: https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Search/Booleanexpressions

Here the document says: The operators must be capitalized.

It is best to use capital letters for all clauses like AS, BY, IN and operators (OR, AND, NOT).

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...