Solved: Uppercase, Lowercase confusion in Splunk commands

jotne · ‎02-19-2021

Is there any reason that there are some command parameters that needs uppercase to work and some can use both lower and uppercase?

Eks both of this does work

| timechart count by index

| timechart count BY index

Same with these, works fine.

| lookup dnslookup clientip as src_ip

| lookup dnslookup clientip AS src_ip

But this fails

index in (test1 test2)

Needs to be uppercase

index IN (test1 test2)

This fails

cat or dog

Needs to be uppercase

cat OR dog

Where do I find a list and regulation on when to use upper/Lowercase (IN OR AND BY AS etc)?

manjunathmeti · ‎02-19-2021

Usually, you find this info in notes under each documentation about commands/operators.

Example you can check this link: https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Search/Booleanexpressions

Here the document says: The operators must be capitalized.

It is best to use capital letters for all clauses like AS, BY, IN and operators (OR, AND, NOT).

View solution in original post

manjunathmeti · ‎02-19-2021

Usually, you find this info in notes under each documentation about commands/operators.

Example you can check this link: https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Search/Booleanexpressions

Here the document says: The operators must be capitalized.

It is best to use capital letters for all clauses like AS, BY, IN and operators (OR, AND, NOT).

Uppercase, Lowercase confusion in Splunk commands

using Splunk Enterprise

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...