Splunk Search

Is there a way to make lookup NOT case sensitive

Jaci
Splunk Employee
Splunk Employee

Let's say I have a lookup table that looks like this:

host,tmoapp somehost01,app01 somehost02,app01 anotherhost01,app02 anotherhost02,app02 ...

The issue is when a host field comes in from the agent as (say) 'SOMEHOST02'... That hostname will not get its tmoapp field correctly populated because the hostname case is wrong/different. What I would like is a way to do the lookup similar to 'grep -i' (i.e. case insensitive). Is this possible?

1 Solution

jrodman
Splunk Employee
Splunk Employee

Well, if your lookup is a script, you can of course explicitly smash case. You could also explicitly smash the case in eval. ...|eval host=lower(host) | lookup ...

However given that our text is searched in a case-insensitive fashion, it seems like supporting lookups in an insensitive fashion should be possible, but I don't know if it currently is.

View solution in original post

the_wolverine
Champion

In version 4.1.4, we provide an option to configure lookups to be case insensitive.

Sweet.

Jason
Motivator

Transforms.conf, underneath the stanza defining your lookup, case_sensitive_match = false

jeff
Contributor

That IS sweet!!

0 Karma

steveyz
Splunk Employee
Splunk Employee

What jrodman said is correct. Currently there is no ability to do case insensitive matching directly. You can either smash case in eval before calling the lookup operator, or use a scripted lookup where obviously you can do whatever type of matching you want.

jrodman
Splunk Employee
Splunk Employee

Well, if your lookup is a script, you can of course explicitly smash case. You could also explicitly smash the case in eval. ...|eval host=lower(host) | lookup ...

However given that our text is searched in a case-insensitive fashion, it seems like supporting lookups in an insensitive fashion should be possible, but I don't know if it currently is.

gkanapathy
Splunk Employee
Splunk Employee
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...