Solved: case sensitive dedup?

blee_i365 · ‎07-14-2011

I have two hosts, one named lower case 'server01', the other named upper case 'SERVER01'. When I do a search such as "foo | dedup host", I only get either server01 or SERVER01, and never both, because apparently dedup is performing case insensitive comparisons. Is there a way to enable case sensitivity?

Thanks much in Advance.

RyanAdams · ‎10-18-2011

Generally (from a networking perspective) you shouldn't have two hosts with the same hostname. However, since you do, you could use regex to determine if the hostname is upper or lowercase. For example:

... | rex field=host "(?P<upperHost>[A-Z0-9]+)"| eval hostCase=if(isnotnull(upperHost), "Upper", "Lower")

Then you could run the dedup command against both the host name and the value of hostCase:

... | dedup host, hostCase

That should leave both hostnames in the results.

PS: I havn't been able to test this so the isnotnull() may not work. Instead you may want to use upperHost="".

View solution in original post

TobiasBoone · ‎08-19-2014

dedup really needs to have an in-case sensitivity option

RyanAdams · ‎10-18-2011

Generally (from a networking perspective) you shouldn't have two hosts with the same hostname. However, since you do, you could use regex to determine if the hostname is upper or lowercase. For example:

... | rex field=host "(?P<upperHost>[A-Z0-9]+)"| eval hostCase=if(isnotnull(upperHost), "Upper", "Lower")

Then you could run the dedup command against both the host name and the value of hostCase:

... | dedup host, hostCase

That should leave both hostnames in the results.

PS: I havn't been able to test this so the isnotnull() may not work. Instead you may want to use upperHost="".

case sensitive dedup?

Data Preparation Made Easy: SPL2 for Edge Processor

Introducing Edge Processor: Next Gen Data Transformation

Tips & Tricks When Using Ingest Actions