Splunk Search

Anyway to make tags.conf case insensitive?

jodros
Builder

We use tags frequently in our environment. I recently added some new servers with differing case for their host names. I tried to create tags with all lowercase characters, but the tags would never show. Once I used the exact case, the tags worked fine. However this presents issues. I would like to make the tags.conf be case insensitive. Is there a way to accomplish this without adding multiple entries in all various case possibilities?

Thanks in advance.

Labels (1)
0 Karma
1 Solution

lguinn2
Legend

AFAIK, there is no way to do this.

I suggest that you use capitalization consistently and train your users, because this same issue will come up in other contexts, not just tags. Here's the deal:

The Splunk search comand is case insensitive for search terms.

All names in Splunk are case sensitive - field names, eventtype names, tag names, saved search names, etc.

Most Splunk commands are case-sensitive. A command that often trips up Splunk users is the where command. People assume that where is like search - but where is case-sensitive and doesn't support wildcards.

So I don't mean to be flip, but creating a bunch of extra tags to avoid this problem -- IMO that won't really help in the end.

(BTW, you can do a case-insensitive lookup. But that's an exception.)

View solution in original post

lguinn2
Legend

AFAIK, there is no way to do this.

I suggest that you use capitalization consistently and train your users, because this same issue will come up in other contexts, not just tags. Here's the deal:

The Splunk search comand is case insensitive for search terms.

All names in Splunk are case sensitive - field names, eventtype names, tag names, saved search names, etc.

Most Splunk commands are case-sensitive. A command that often trips up Splunk users is the where command. People assume that where is like search - but where is case-sensitive and doesn't support wildcards.

So I don't mean to be flip, but creating a bunch of extra tags to avoid this problem -- IMO that won't really help in the end.

(BTW, you can do a case-insensitive lookup. But that's an exception.)

jcorcoran508
Path Finder

just updating the where command now supports the " like %" wild card.  

0 Karma

jodros
Builder

How are you using a lookup for tagging hostnames?

0 Karma

jodros
Builder

Thanks lguinn. I knew there was a way of accomplishing this with the case_sensitive_match = false in the transforms.conf for lookups. Was hoping there was something similar for tags.conf. I will try to educate users, but I am sure there will be some duplicate entries taking into account various case combinations.

0 Karma

lguinn2
Legend

BTW, if you are tagging host names, I would consider using a lookup table instead. Hostnames are difficult because some operating systems and devices are case-sensitive and others are not. So it is not uncommon to get a mix of names for same hosts.

IMO, a lookup table is easier to maintain for host names - and it can be set to do a case-insensitive lookup, automatically. More info here: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutlookupsandfieldactions

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...