I have a lookup table, with an ID field that has case specific alphanumeric values in it.
I'm attempting to search for a single user id, however when I put one in, I see at least two results for each, due to splunk seeing the values as case insensitive.
Here is an image.
You'll notice the last letter's being of different case, yet even when using " around the field values, I still get this result set. Is there something that I am missing?
The answer I was looking for was to use an automatic lookup and force case sensitive matching. I'm sure I worded the question poorly, and this is what the working config looks like:
props.conf
[mysourcetype]
LOOKUP-SFDC-USER_NAME1 = lookup_usernames USER_ID AS USER_ID
transforms.conf
[lookup_usernames]
filename = lookup_usernames.csv
case_sensitive_match=true
The way to search a table for a specific username is accepted above.
Try this:
| inputlookup xxx.csv | regex USER_ID="05000xpmX"
This worked, thank you!
Nice. I wouldn't have thought of regex
as a solution. Works, as long as the user id does not have special characters that translate differently in regex-land, in which case they need to be escaped.
| inputlookup xxx.csv | eval USER_ID=case(05000xpmX)
I tried this, and it doesn't work, Thank you!
Use | where
instead of | search
.
Hi,
Searching for fields values is not case sensitive, use the "where" command (in your case with the same syntax) or CASE():
| makeresults | eval foo="bar Bar" | makemv foo | mvexpand foo
| where foo=bar
or:
| makeresults | eval foo="bar Bar" | makemv foo | mvexpand foo
| search foo=CASE(bar)
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference
Cheers,
This works for an individual user id, but how would I make an automatic lookup case sensitive? Is there a way?
This works for any number of users ID, just use booleans as usually:
| where foo=bar OR foo=bar2
OR:
| search foo=CASE(bar) OR foo=CASE(bar2)
The search command will always be case non sensitive, whenever the fields comes an automatic lookup.
The only difference with automatic lookup fields will be the the field name (not the field value) will be case sensitive if it comes from a lookup. (while it is not the case with a raw data field)
Guilhem