Splunk Search

How to make a search case-sensitive?

muebel
SplunkTrust
SplunkTrust

How can I make a search case-sensitive? That is to say, I search for the general term "FOO" and want to only match "FOO" in results, and not "foo"

Tags (2)
1 Solution

cyue_splunk
Splunk Employee
Splunk Employee

CASE(foo) will only return events with "foo", but not "FOO" or "Foo".

View solution in original post

jburman123
Explorer

I am using SPLUNK Enterprise 6.1, your suggestion of using | where field="FOO" fails

0 Karma

jburman123
Explorer

I want to perform a simple substring match that is case sensitive; for example find all occurrences of Test in a text file and ignore strings like test or test*. If you try CASE(Test) it fails? Any suggestions?

Nikita_Danilov
Path Finder

What Splunk's version are you using? Try it:

| where field="FOO"
0 Karma

cyue_splunk
Splunk Employee
Splunk Employee

CASE(foo) will only return events with "foo", but not "FOO" or "Foo".

northben
Explorer

and in a strange irony, the CASE command is case-sensitive

bwooden
Splunk Employee
Splunk Employee

If the field is extracted: http://answers.splunk.com/questions/3485/can-i-make-field-values-case-sensitive

That thread also contains another technique if the field is not extracted.

ftk
Motivator

Hmm, I don't think you can turn case sensitivity on in the general search, but you should be able to hack it with rex:

foo | rex "(?<uppercase>FOO)" | search uppercase=*
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...