My environment : Splunk Stand-Alone ver 7.2.3
I'd like to extract username that match with lookup case-insensitively, also I want to extract username that match with lookup using WILDCARD.
But in 7.2.3, I can't realize it.
* Although in 7.1.4, I can.
The settings and search used for verification are as follows.
[test_case_insensitive] batch_index_query = 0 case_sensitive_match = 0 filename = test_case_insensitive.csv match_type = WILDCARD(status)
Lookup table :
| makeresults count=3 | streamstats count as c | eval status=case(c=1, "###AAAAA###", c=2, "###aaaaa###", c=3, "###AAaaa###") | lookup test_case_insensitive status OUTPUT status2
Is this a bug?
If someone know about it, please tell me, also give me workaround.
I found it in known issues in 7.2.3
Disabling casesensitivematch in transforms.conf not working for WILDCARD type lookups
You can normalise the data in the lookup (| eval field=lower(field)) before populating, and doing the same before looking it up.
If you need the denormalised version, you can create a different field for the lookup instead to still have access to the original.
Create lookup: ... | eval field=lower(field) | outputlookup
Use lookup: ... | eval matchfield=lower(field) | lookup matchfield ...