Splunk Search

are search language *keywords* case-sensitive?

V_at_Splunk
Splunk Employee
Splunk Employee

Are all these OK?

* | STATS COUNT
* | stats count
* | STATS count
* | stats COUNT

Conclusion: search lang keywords (what I meant) break down as so:

  • Must be uppercase: OR, NOT
  • Must be lowercase: avg, sum, count, earliest, ...
  • Can be either: the rest

Simplest rule seems to be "uppercase OR and NOT, lowercase everything else to be safe". Which is mildly irksome, as I feel uppercasing keywords (a.k.a. operators) helps distinguish them from operands -- a primitive form of syntax highlighting, if you will. (You will see lots of SQL weenies do this.)

Tags (1)
2 Solutions

V_at_Splunk
Splunk Employee
Splunk Employee

Search language is case-insensitive, except for STATS functions: count, avg, sum, ... Those have to be lowercase.

View solution in original post

matt
Splunk Employee
Splunk Employee

OR and NOT are case sensitive

View solution in original post

bstrand0
New Member

In 6.0.1, the time modifiers (e.g. earliest, latest) must be lowercase. This may be a bug, the search job inspection shows mixed interpretation, but the base lispy output treats the date values as search terms.

E.g.:

Search: Latest="01/25/2014:00:00:00"

DEBUG: base lispy: [ AND 00 01 2014 25 ...

keywords    latest::01/25/2014:00:00:00 
0 Karma

carasso
Splunk Employee
Splunk Employee

the "replace" operator is also case-sensitive on what you replace.

jrodman
Splunk Employee
Splunk Employee

rex and regex must be case sensitive to their pattern texts.

matt
Splunk Employee
Splunk Employee

OR and NOT are case sensitive

Stephen_Sorkin
Splunk Employee
Splunk Employee

Also, field names are case sensitive.

V_at_Splunk
Splunk Employee
Splunk Employee

Search language is case-insensitive, except for STATS functions: count, avg, sum, ... Those have to be lowercase.

gkanapathy
Splunk Employee
Splunk Employee

But field names are case-sensitive:
| stats count(a)
is different from:
| stats count(A)

0 Karma
Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...