Field values are case insensitive?

vn_g · ‎12-14-2020

index="win*" host="abc" -- doesnt give results

index="win*" host="ABC" -- gives results

But , it is not suppose to function that way , since I heard Field values are case insensitive? Kindly help

nickhills · ‎12-15-2020

Field values in search are not case sensitive

However some other commands like stats, sort do utilise case sensitivity.
Also by default, lookups are also case sensitive (although this is configurable)

I can not offer an explanation of why the two very simple examples above would produce different results. Are you able to provide a screenshot demonstrating this?

Are you testing with simple queries (like the example) or is this behaviour observed as part of a larger query?

If my comment helps, please give it a thumbs up!

vn_g · ‎01-07-2021

I have attached the screenshot. I am using the simple query which has only index and host name. The hostname is in the format -- AAAAAANNNNNA.

vn_g · ‎12-15-2020

Yes , I am just using the basic search query index and host value .

nickhills · ‎12-15-2020

What is the format of the hostname?

I can see it's euraXXXXXXXX can you give a full example like this:

eura0-y34-abc3
AAAAN-ANN-AAAN

Where A is a letter, N is a Number and any other character is shown

If my comment helps, please give it a thumbs up!

vn_g · ‎12-15-2020

It is like AAAAAANNNNNA

Field values are case insensitive?

fields

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms