Re: Field values are case insensitive?

vn_g · ‎12-14-2020

index="win*" host="abc" -- doesnt give results

index="win*" host="ABC" -- gives results

But , it is not suppose to function that way , since I heard Field values are case insensitive? Kindly help

nickhills · ‎12-15-2020

Field values in search are not case sensitive

However some other commands like stats, sort do utilise case sensitivity.
Also by default, lookups are also case sensitive (although this is configurable)

I can not offer an explanation of why the two very simple examples above would produce different results. Are you able to provide a screenshot demonstrating this?

Are you testing with simple queries (like the example) or is this behaviour observed as part of a larger query?

If my comment helps, please give it a thumbs up!

vn_g · ‎01-07-2021

I have attached the screenshot. I am using the simple query which has only index and host name. The hostname is in the format -- AAAAAANNNNNA.

vn_g · ‎12-15-2020

Yes , I am just using the basic search query index and host value .

nickhills · ‎12-15-2020

What is the format of the hostname?

I can see it's euraXXXXXXXX can you give a full example like this:

eura0-y34-abc3
AAAAN-ANN-AAAN

Where A is a letter, N is a Number and any other character is shown

If my comment helps, please give it a thumbs up!

vn_g · ‎12-15-2020

It is like AAAAAANNNNNA

Field values are case insensitive?

fields

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes