Splunk Search

Search only for full match letter case

Communicator

Hello all,
I have a next case.
In one of my index i have a data on Russian language, and if i want start search something i must know accurate name.
Search is case-sensitive letters.
For example if in log we have a word Сессия and in search request we write index="index_name" "сессия" - we haven't anything in result.

Maybe anybody know solution to this problem.
Thank you.

0 Karma
1 Solution

Esteemed Legend

Your problem is segmenting and the non-segmenting characters that are surrounding your string. The bottom line is that you need to use the asterisk wildcard (probably on both ends). Read more about it here:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Segmentersconf

View solution in original post

0 Karma

Esteemed Legend

Your problem is segmenting and the non-segmenting characters that are surrounding your string. The bottom line is that you need to use the asterisk wildcard (probably on both ends). Read more about it here:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Segmentersconf

View solution in original post

0 Karma

Communicator

Ok, i understand.
Thanks!

0 Karma

Esteemed Legend

The base search in splunk is always case-insensitive. To make it case-sensitive, use the CASE operator like this:

index="index_name" CASE(сессия)

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Search

This search should be case-insensitive:

index="index_name" сессия

If it is not matching, it is because of the extra double-quotes you used.

Engager

Thank you. I've been searching all morning for case related to upper and lower case letters, not the case statement.

I'm looking for a generic account named 'devops' and I get results for the directory named 'DevOps'. This weeded out the unwanted results.

0 Karma

Communicator

With information on the link is not yet time to read, but test what you write me,

index="index_name" *ессия - i have a 40 strings in result.
index="index_name" cессия - i have a 7 strings in result.
index="index_name" Cессия - i have a 33 strings in result.

If i try index="index_name" CASE(сессия) - i have 7 string in result.

And i want have all 40 string when i use something like index="index_name" cессия

0 Karma