Splunk Search

How to ignore case sensitive input in lookup files?

greeshmak
Explorer

Hi,

I have created a lookup file with the 10 rows in my splunk search. But while i'm using the lookup facing lot of challenges. I mentioned the inputs in CAPS. Though Inputs are not in CAPs always, Example:

I have a lookup like below:

flavor, color
Chocolate, BROWN
Vanila,WHITE
Oreo,BLACK

I defined the color in CAPS, Sometimes we are logging the color in Small letters as Brown,brown.

Is there any way to ignore the case in lookupfile

Tags (1)

bschaap
Path Finder

Recent versions of Splunk allow the setting to be changed through the Web UI. Click "Settings" > "Lookups" > "Lookup definitions" and find the look up you would like to modify. Check "advanced options" and either check or uncheck "Case sensitive match" depending on your preference.

mathiask
Communicator

Is this option still available?
I am using 7.1.2. and there is no such GUI option
This option needs to be set in the config file, which is not very optimal when someone opens and saves it and accidently removes it

0 Karma

harishalipaka
Motivator

hi @mathiask

am using splunk 7.1.1

It is available that option

click on your lookup file than one check box will appear with name of advanced options

Thanks
Harish
0 Karma

mathiask
Communicator

Thanks.
- apparently it seems that this option is available for lookup files
- but is not available for KV store lookups

@lguinn
is this working as intended or just a minor oversight?
since it is possible to set this in the config file for KV store lookups.

0 Karma

macadminrohit
Contributor

i think it doesnt work. I still have to change the case to match the lookup field values.

0 Karma

lguinn2
Legend

Yes, in the transforms.conf where the lookup is defined, you can do this

[yourlookuptable]
case_sensitive_match = false

EDIT: This is no longer true: There is no way to set this from the Splunk user interface.
In Splunk 7.0, the transforms.conf setting now appears in the user interface.

mtranchita
Communicator

While its true you can't ignore case in a lookup as part of a search, you can use the eval command and set all the values of a given field to lower (or upper) case.
I agree that the "right" way to do is to edit the transforms so that the lookup is case insensitive like 'normal' searches.

Reference:
http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Eval#3._Convert_values_to_lowercas...

Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...