I have a lookup table, with an ID field that has case specific alphanumeric values in it.
I'm attempting to search for a single user id, however when I put one in, I see at least two results for each, due to splunk seeing the values as case insensitive.
Here is an image.
You'll notice the last letter's being of different case, yet even when using " around the field values, I still get this result set. Is there something that I am missing?
Searching for fields values is not case sensitive, use the "where" command (in your case with the same syntax) or CASE():
| makeresults | eval foo="bar Bar" | makemv foo | mvexpand foo | where foo=bar
| makeresults | eval foo="bar Bar" | makemv foo | mvexpand foo | search foo=CASE(bar)
This works for any number of users ID, just use booleans as usually:
| where foo=bar OR foo=bar2
| search foo=CASE(bar) OR foo=CASE(bar2)
The search command will always be case non sensitive, whenever the fields comes an automatic lookup.
The only difference with automatic lookup fields will be the the field name (not the field value) will be case sensitive if it comes from a lookup. (while it is not the case with a raw data field)
Nice. I wouldn't have thought of
regex as a solution. Works, as long as the user id does not have special characters that translate differently in regex-land, in which case they need to be escaped.