Splunk Search

Splunk Case-Sensitive Search

Path Finder

I have some data that comes in with different values and need to point them out. For example, the data can look like:

refRepId=36
OR
refrepid=125
or
refRepid=1245

1) for the first part, i need to look up anything that isn't refRepID. so i ran

mysearch NOT CASE(refRepID) 

but that didn't seem to do anything. and i tried by running

mysearch CASE(refrepid) OR CASE(refRepid) 

and those didn't do anyything either. (please keep in mind that refRepid and refrepid are not the only cases and there could be refrepID, rEfrepID, etc.)

2) for the second part, Here are the rules which I’m trying to achieve:
1. All refRepId values
2. Of any case, EXCEPT for the exact casing “refRepId”
3. Which are not null -> some might have refrepid= OR refrepid=somecharacters.

P.S. my search needs to contain the phrase refrepid to narrow down the search. so in reality mysearch="index=xx sourcetype=yy refrepid"

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Here's what I'd try:

1) look up anything except one particular case:

index=xx sourcetype=yy refrepid | regex _raw!="refRepID="

The search will load everything, and the regex will throw out the one case you don't want to see.

2) get all the values of any case except one particular case:

index=xx sourcetype=yy refrepid | regex _raw!="refRepID=" | rex "(?i)refrepid=(?<insensitive_refredpid>\d+)"

Same as #1, except with an added extraction that ignores the case of the key before the equals sign and treats them all equally.

View solution in original post

SplunkTrust
SplunkTrust

Here's what I'd try:

1) look up anything except one particular case:

index=xx sourcetype=yy refrepid | regex _raw!="refRepID="

The search will load everything, and the regex will throw out the one case you don't want to see.

2) get all the values of any case except one particular case:

index=xx sourcetype=yy refrepid | regex _raw!="refRepID=" | rex "(?i)refrepid=(?<insensitive_refredpid>\d+)"

Same as #1, except with an added extraction that ignores the case of the key before the equals sign and treats them all equally.

View solution in original post

Path Finder

thanks man. I forgot there is a difference between rex and regex.

0 Karma

Communicator

Hmmm...what about something like...

mysearch NOT refRepId=* (refrepid=* OR refRepid=*)

It's not the most elegant solution, but you will filter out all the values with the casing you don't want, and enforce that the two casings you do want have values in them.

0 Karma

Communicator

Oh, whoops, formatting error. What I meant to type was:

mysearch NOT refRepId=* (refrepid=* OR refRepid=*)

I'm not sure I understand it needing to be case-insensitive. Field names are case-sensitive in the search string...

0 Karma

Revered Legend

try this

index=xx sourcetype=yy refrepid NOT (refRepID=*)

0 Karma

Path Finder

p.s. my search needs to contain the phrase refrepid to narrow down the search. so in reality mysearch="index=xx sourcetype=yy refrepid"

0 Karma

Path Finder

well you can't do = just like that right?

Error in 'search' command: Unable to parse the search: Comparator '=' is missing a term on the right hand side.

also that won't work because it needs to be case-insensitive. Splunk thinks about all of those in the same manner

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!