Solved: Splunk Case-Sensitive Search

mkarimi · ‎05-08-2014

I have some data that comes in with different values and need to point them out. For example, the data can look like:

refRepId=36
OR
refrepid=125
or
refRepid=1245

1) for the first part, i need to look up anything that isn't refRepID. so i ran

mysearch NOT CASE(refRepID)

but that didn't seem to do anything. and i tried by running

mysearch CASE(refrepid) OR CASE(refRepid)

and those didn't do anyything either. (please keep in mind that refRepid and refrepid are not the only cases and there could be refrepID, rEfrepID, etc.)

2) for the second part, Here are the rules which I’m trying to achieve:
1. All refRepId values
2. Of any case, EXCEPT for the exact casing “refRepId”
3. Which are not null -> some might have refrepid= OR refrepid=somecharacters.

P.S. my search needs to contain the phrase refrepid to narrow down the search. so in reality mysearch="index=xx sourcetype=yy refrepid"

martin_mueller · ‎05-08-2014

Here's what I'd try:

1) look up anything except one particular case:

index=xx sourcetype=yy refrepid | regex _raw!="refRepID="

The search will load everything, and the regex will throw out the one case you don't want to see.

2) get all the values of any case except one particular case:

index=xx sourcetype=yy refrepid | regex _raw!="refRepID=" | rex "(?i)refrepid=(?<insensitive_refredpid>\d+)"

Same as #1, except with an added extraction that ignores the case of the key before the equals sign and treats them all equally.

View solution in original post

martin_mueller · ‎05-08-2014

Here's what I'd try:

1) look up anything except one particular case:

index=xx sourcetype=yy refrepid | regex _raw!="refRepID="

The search will load everything, and the regex will throw out the one case you don't want to see.

2) get all the values of any case except one particular case:

index=xx sourcetype=yy refrepid | regex _raw!="refRepID=" | rex "(?i)refrepid=(?<insensitive_refredpid>\d+)"

Same as #1, except with an added extraction that ignores the case of the key before the equals sign and treats them all equally.

mkarimi · ‎05-09-2014

thanks man. I forgot there is a difference between rex and regex.

BenjaminWyatt · ‎05-08-2014

Hmmm...what about something like...

mysearch NOT refRepId=* (refrepid=* OR refRepid=*)

It's not the most elegant solution, but you will filter out all the values with the casing you don't want, and enforce that the two casings you do want have values in them.

BenjaminWyatt · ‎05-08-2014

Oh, whoops, formatting error. What I meant to type was:

mysearch NOT refRepId=* (refrepid=* OR refRepid=*)

I'm not sure I understand it needing to be case-insensitive. Field names are case-sensitive in the search string...

somesoni2 · ‎05-08-2014

try this

index=xx sourcetype=yy refrepid NOT (refRepID=*)

mkarimi · ‎05-08-2014

p.s. my search needs to contain the phrase refrepid to narrow down the search. so in reality mysearch="index=xx sourcetype=yy refrepid"

mkarimi · ‎05-08-2014

well you can't do = just like that right?

Error in 'search' command: Unable to parse the search: Comparator '=' is missing a term on the right hand side.

also that won't work because it needs to be case-insensitive. Splunk thinks about all of those in the same manner

Splunk Case-Sensitive Search

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024