Solved: are search language *keywords* case-sensitive?

V_at_Splunk · ‎01-14-2010

Are all these OK?

* | STATS COUNT
* | stats count
* | STATS count
* | stats COUNT

Conclusion: search lang keywords (what I meant) break down as so:

Must be uppercase: OR, NOT
Must be lowercase: avg, sum, count, earliest, ...
Can be either: the rest

Simplest rule seems to be "uppercase OR and NOT, lowercase everything else to be safe". Which is mildly irksome, as I feel uppercasing keywords (a.k.a. operators) helps distinguish them from operands -- a primitive form of syntax highlighting, if you will. (You will see lots of SQL weenies do this.)

V_at_Splunk · ‎01-14-2010

Search language is case-insensitive, except for STATS functions: count, avg, sum, ... Those have to be lowercase.

View solution in original post

matt · ‎01-14-2010

OR and NOT are case sensitive

View solution in original post

bstrand0 · ‎01-31-2014

In 6.0.1, the time modifiers (e.g. earliest, latest) must be lowercase. This may be a bug, the search job inspection shows mixed interpretation, but the base lispy output treats the date values as search terms.

E.g.:

Search: Latest="01/25/2014:00:00:00"

DEBUG: base lispy: [ AND 00 01 2014 25 ...

keywords    latest::01/25/2014:00:00:00

carasso · ‎01-19-2010

the "replace" operator is also case-sensitive on what you replace.

jrodman · ‎01-14-2010

rex and regex must be case sensitive to their pattern texts.

matt · ‎01-14-2010

OR and NOT are case sensitive

Stephen_Sorkin · ‎01-14-2010

Also, field names are case sensitive.

V_at_Splunk · ‎01-14-2010

Search language is case-insensitive, except for STATS functions: count, avg, sum, ... Those have to be lowercase.

gkanapathy · ‎01-14-2010

But field names are case-sensitive:
| stats count(a)
is different from:
| stats count(A)

are search language keywords case-sensitive?

Splunk Admins and App Developers | Earn a $35 gift card!

Enterprise Security Content Update (ESCU) | New Releases

Monitoring MariaDB and MySQL