Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why I can't use case insensitive match in lookup with WILDCARD?

yutaka1005
Builder
‎01-26-2019 11:54 PM

My environment : Splunk Stand-Alone ver 7.2.3

I'd like to extract username that match with lookup case-insensitively, also I want to extract username that match with lookup using WILDCARD.

But in 7.2.3, I can't realize it.
* Although in 7.1.4, I can.

The settings and search used for verification are as follows.

transforms.conf

[test_case_insensitive]
batch_index_query = 0
case_sensitive_match = 0
filename = test_case_insensitive.csv
match_type = WILDCARD(status)

Lookup table : test_case_insensitive.csv

status,status2
"*AAAAA*","OK!"

Example search

| makeresults count=3 
| streamstats count as c 
| eval status=case(c=1, "###AAAAA###", c=2, "###aaaaa###", c=3, "###AAaaa###") 
| lookup test_case_insensitive status OUTPUT status2

Is this a bug?
If someone know about it, please tell me, also give me workaround.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yutaka1005
Builder
‎01-26-2019 11:55 PM

I found it in known issues in 7.2.3

SPL-163932, SPL-164894

Disabling case_sensitive_match in transforms.conf not working for WILDCARD type lookups

Workaround:
You can normalise the data in the lookup (| eval field=lower(field)) before populating, and doing the same before looking it up.
If you need the denormalised version, you can create a different field for the lookup instead to still have access to the original.

Create lookup: ... | eval field=lower(field) | outputlookup

Use lookup: ... | eval matchfield=lower(field) | lookup matchfield ...

View solution in original post

Reply
Solved! Jump to solution
Solution

yutaka1005
Builder
‎01-26-2019 11:55 PM

I found it in known issues in 7.2.3

SPL-163932, SPL-164894

Disabling case_sensitive_match in transforms.conf not working for WILDCARD type lookups

Workaround:
You can normalise the data in the lookup (| eval field=lower(field)) before populating, and doing the same before looking it up.
If you need the denormalised version, you can create a different field for the lookup instead to still have access to the original.

Create lookup: ... | eval field=lower(field) | outputlookup

Use lookup: ... | eval matchfield=lower(field) | lookup matchfield ...

Reply
Solved! Jump to solution

yutaka1005
Builder
‎03-26-2019 07:28 PM

It was fixed in 7.2.5.

0 Karma
Reply
Solved! Jump to solution

pj
Contributor
‎03-27-2019 05:52 AM

woot! amazing news

0 Karma
Reply
Solved! Jump to solution

pj
Contributor
‎02-18-2019 12:21 PM

Yes super annoying. Still not fixed as of 7.2.4. Splunk please fix!!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...