Re: Can I search with case insensitive fields.

iet_ashish · ‎04-20-2020

Hello there,

Is there a way to address all fields case insensitively.
To illustrate my point I have this query,

index=*aws_config* resourceType="AWS::EC2::Volume" 
| eval tag_CostCenter=If(isnotnull('tags.Brand.CostCenter') OR isnotnull('tags.brand.costcenter') OR isnotnull('tags.brand.Costcenter' OR isnotnull('tags.brand.costCenter' OR isnotnull('tags.brand.COSTCENTER' OR isnotnull('tags.brand.costCENTER'), "Yes", "No")

My data can have fields CostCenter, costCenter, COSTCENTER and many other case variations (And there can be tens of variations). Currently I am handling them by separating each variation with an OR. Is there a way to collectively query on all such case variations of a a field name instead of using multiple OR clauses.
I know we can use coalesce or field aliases but that still means that I need to specify all possible field names somewhere.

Thanks.

to4kawa · ‎04-20-2020

first, make table and use transpose and lower

 index=*aws_config* resourceType="AWS::EC2::Volume" 
| table tags*
| transpose 0 column_name=tags
| eval tags=lower(tags)

so, aggregate these bystats ...

Can I search with case insensitive fields.

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)