Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Search query with like() func ignoring case

zionsof
Engager
‎02-25-2018 12:48 AM

Hey all, need some help to something I didn't manage and couldn't find any solution online.

Assuming my data is of files and is indexed as JSON form as such:

{...some stuff..., FileContent: <this-file-content> ...some stuff...}

And what I want to do is find all files that have a certain word.
So, what I currently search is:

index=main source=.... | where like(FileContent, "%someword%")

But, I want to to ignore all the case of someword (SoMeWord would be found as well).

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-25-2018 05:07 AM

Use regular expressions if your actual matches are more complex: ... | regex FileContent="someword" or ... | where match(FileContent, "someword")
If all you want is case-sensitive search, use CASE(): http://docs.splunk.com/Documentation/Splunk/7.0.2/Search/UseCASEandTERMtomatchphrases

View solution in original post

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎02-25-2018 12:41 PM

Case sensitivity is a bit intricate with Splunk, but keep in mind that just FileContent = someword is case insensitive.

If you end up using search or where it gets interesting -

The following would work assuming someword as lower in the events -

    | search FileContent=someword  
    | search FileContent=Someword  
    | search FileContent="Someword" 
    | where  FileContent="someword"

And these won't -

    | where FileContent=someword 
    | where FileContent="Someword"

Meaning, the syntax of search is equivalent to the regular search string while where has regex syntax.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-25-2018 01:58 PM

That's not quite accurate, where only uses regex when told to, e.g. when using match(). The equals sign is just that, a case sensitive equals sign. field=".*" won't be true unless field literally contains a dot and an asterisk.

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎02-25-2018 02:01 PM

Thank you @martin_mueller!

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-25-2018 05:07 AM

Use regular expressions if your actual matches are more complex: ... | regex FileContent="someword" or ... | where match(FileContent, "someword")
If all you want is case-sensitive search, use CASE(): http://docs.splunk.com/Documentation/Splunk/7.0.2/Search/UseCASEandTERMtomatchphrases

Reply
Solved! Jump to solution

zionsof
Engager
‎02-25-2018 06:01 AM

Match is apparently what I needed and not like. Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...