Solved: Re: Field Values Case Sensitve

tmarlette · ‎07-05-2017

I have a lookup table, with an ID field that has case specific alphanumeric values in it.

I'm attempting to search for a single user id, however when I put one in, I see at least two results for each, due to splunk seeing the values as case insensitive.

Here is an image.

You'll notice the last letter's being of different case, yet even when using " around the field values, I still get this result set. Is there something that I am missing?

woodcock · ‎07-05-2017

Try this:

| inputlookup xxx.csv | regex USER_ID="05000xpmX"

View solution in original post

tmarlette · ‎07-12-2017

The answer I was looking for was to use an automatic lookup and force case sensitive matching. I'm sure I worded the question poorly, and this is what the working config looks like:

props.conf

[mysourcetype]
LOOKUP-SFDC-USER_NAME1 = lookup_usernames USER_ID AS USER_ID

transforms.conf

[lookup_usernames]
filename = lookup_usernames.csv
case_sensitive_match=true

The way to search a table for a specific username is accepted above.

woodcock · ‎07-05-2017

Try this:

| inputlookup xxx.csv | regex USER_ID="05000xpmX"

tmarlette · ‎07-12-2017

This worked, thank you!

DalJeanis · ‎07-06-2017

Nice. I wouldn't have thought of regex as a solution. Works, as long as the user id does not have special characters that translate differently in regex-land, in which case they need to be escaped.

sbbadri · ‎07-05-2017

| inputlookup xxx.csv | eval USER_ID=case(05000xpmX)

tmarlette · ‎07-06-2017

I tried this, and it doesn't work, Thank you!

somesoni2 · ‎07-05-2017

Use | where instead of | search.

guilmxm · ‎07-05-2017

Hi,

Searching for fields values is not case sensitive, use the "where" command (in your case with the same syntax) or CASE():

|  makeresults |  eval foo="bar Bar" |  makemv foo | mvexpand foo
|  where foo=bar

or:

|  makeresults |  eval foo="bar Bar" |  makemv foo | mvexpand foo
|  search foo=CASE(bar)

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference

Cheers,

tmarlette · ‎07-07-2017

This works for an individual user id, but how would I make an automatic lookup case sensitive? Is there a way?

guilmxm · ‎07-11-2017

This works for any number of users ID, just use booleans as usually:

|  where foo=bar OR foo=bar2

OR:

|  search foo=CASE(bar) OR foo=CASE(bar2)

The search command will always be case non sensitive, whenever the fields comes an automatic lookup.
The only difference with automatic lookup fields will be the the field name (not the field value) will be case sensitive if it comes from a lookup. (while it is not the case with a raw data field)

Guilhem

Field Values Case Sensitve

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation