Hi all,
I need to make by default all searches in Splunk 6.1.1 as case InSensitive.
For example, this search are case InSensitive:
index=_internal log_level=info
But this search are case Sensitive:
index=_internal | where log_level=info
Hm, strange... Why? Maybe it's bug and I need to report about it? How can I set default case InSensitive search everywhere? I know about function lower()
, but it's just particular solution.
Thanks.
That's not a bug, Splunk is case sensitive except in the search command. (Maybe there's a few more exceptions...)
In your example, you could do this:
index=_internal | ... | search log_level=info
That'll find info
, Info
, INFO
, ...
That's not a bug, Splunk is case sensitive except in the search command. (Maybe there's a few more exceptions...)
In your example, you could do this:
index=_internal | ... | search log_level=info
That'll find info
, Info
, INFO
, ...
Dunno. lower()
should be pretty quick, and match()
with a fast regular expression such as this one anchored to both ends without any multiplicity or options should be pretty quick as well.
Here's another option, didn't test its speed:
count(eval(searchmatch("log_level=info")))
Does match(,)
have better performance than lower()
?
You could do this:
count(eval(match(log_level, "(?i)^info$")))
Or this for much more readability in case you have multiple long statements:
... | eval info_level = if(match(log_level, "(?i)^info$"), 1, 0) | stats sum(info_level)
The other answers you found may be referring to the search
command, that indeed does treat values as case insensitive.
Martin, thanks, but what about count(eval(log_level=info))
? I need to use everywhere lower()
? Where I can find information about this "exceptions"? This case surprised me, because in other Answers people say that "Splunk is case InSensitive".