Splunk Search

Splunk Case-Sensitive Search

mkarimi
Path Finder

I have some data that comes in with different values and need to point them out. For example, the data can look like:

refRepId=36
OR
refrepid=125
or
refRepid=1245

1) for the first part, i need to look up anything that isn't refRepID. so i ran

mysearch NOT CASE(refRepID) 

but that didn't seem to do anything. and i tried by running

mysearch CASE(refrepid) OR CASE(refRepid) 

and those didn't do anyything either. (please keep in mind that refRepid and refrepid are not the only cases and there could be refrepID, rEfrepID, etc.)

2) for the second part, Here are the rules which I’m trying to achieve:
1. All refRepId values
2. Of any case, EXCEPT for the exact casing “refRepId”
3. Which are not null -> some might have refrepid= OR refrepid=somecharacters.

P.S. my search needs to contain the phrase refrepid to narrow down the search. so in reality mysearch="index=xx sourcetype=yy refrepid"

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Here's what I'd try:

1) look up anything except one particular case:

index=xx sourcetype=yy refrepid | regex _raw!="refRepID="

The search will load everything, and the regex will throw out the one case you don't want to see.

2) get all the values of any case except one particular case:

index=xx sourcetype=yy refrepid | regex _raw!="refRepID=" | rex "(?i)refrepid=(?<insensitive_refredpid>\d+)"

Same as #1, except with an added extraction that ignores the case of the key before the equals sign and treats them all equally.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Here's what I'd try:

1) look up anything except one particular case:

index=xx sourcetype=yy refrepid | regex _raw!="refRepID="

The search will load everything, and the regex will throw out the one case you don't want to see.

2) get all the values of any case except one particular case:

index=xx sourcetype=yy refrepid | regex _raw!="refRepID=" | rex "(?i)refrepid=(?<insensitive_refredpid>\d+)"

Same as #1, except with an added extraction that ignores the case of the key before the equals sign and treats them all equally.

mkarimi
Path Finder

thanks man. I forgot there is a difference between rex and regex.

0 Karma

BenjaminWyatt
Communicator

Hmmm...what about something like...

mysearch NOT refRepId=* (refrepid=* OR refRepid=*)

It's not the most elegant solution, but you will filter out all the values with the casing you don't want, and enforce that the two casings you do want have values in them.

0 Karma

BenjaminWyatt
Communicator

Oh, whoops, formatting error. What I meant to type was:

mysearch NOT refRepId=* (refrepid=* OR refRepid=*)

I'm not sure I understand it needing to be case-insensitive. Field names are case-sensitive in the search string...

0 Karma

somesoni2
Revered Legend

try this

index=xx sourcetype=yy refrepid NOT (refRepID=*)

0 Karma

mkarimi
Path Finder

p.s. my search needs to contain the phrase refrepid to narrow down the search. so in reality mysearch="index=xx sourcetype=yy refrepid"

0 Karma

mkarimi
Path Finder

well you can't do = just like that right?

Error in 'search' command: Unable to parse the search: Comparator '=' is missing a term on the right hand side.

also that won't work because it needs to be case-insensitive. Splunk thinks about all of those in the same manner

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...