Solved: How to make a search case-sensitive?

muebel · ‎07-28-2010

How can I make a search case-sensitive? That is to say, I search for the general term "FOO" and want to only match "FOO" in results, and not "foo"

cyue_splunk · ‎12-27-2012

CASE(foo) will only return events with "foo", but not "FOO" or "Foo".

View solution in original post

jburman123 · ‎07-31-2014

I am using SPLUNK Enterprise 6.1, your suggestion of using | where field="FOO" fails

jburman123 · ‎07-29-2014

I want to perform a simple substring match that is case sensitive; for example find all occurrences of Test in a text file and ignore strings like test or test*. If you try CASE(Test) it fails? Any suggestions?

Nikita_Danilov · ‎07-02-2014

What Splunk's version are you using? Try it:

| where field="FOO"

cyue_splunk · ‎12-27-2012

CASE(foo) will only return events with "foo", but not "FOO" or "Foo".

northben · ‎05-19-2016

and in a strange irony, the CASE command is case-sensitive

bwooden · ‎07-28-2010

If the field is extracted: http://answers.splunk.com/questions/3485/can-i-make-field-values-case-sensitive

That thread also contains another technique if the field is not extracted.

ftk · ‎07-28-2010

Hmm, I don't think you can turn case sensitivity on in the general search, but you should be able to hack it with rex:

foo | rex "(?<uppercase>FOO)" | search uppercase=*

How to make a search case-sensitive?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?