Refine your search:

Hi,

I am trying to extract a field from logs and generate report from it. Basically, I am trying to identify the authentication method.

My current search looks like -

 * | rex "(?<authentication_type>(?i)(password))" | search password

This extracts a field called authentication_type with value password. But, it considers Password and password to be two different values. Does anyone know how can I force splunk to consider both the same values?

Thanks,

Rahil

asked 14 Jun '11, 07:12

rahiparikh's gravatar image

rahiparikh
492310
accept rate: 0%


One Answer:

Splunk's search command is case insensitive. When creating a report, Splunk will consider these to be seperate values. If you want to make reporting commands insensitive to the case of a field, we can convert the field using eval and lower.

For example:

* | rex "(?<authentication_type>(?i)(password))" | eval authentication_type=lower(authentication_type) | search authentication_type=password
link

answered 14 Jun '11, 11:24

hazekamp's gravatar image

hazekamp
2.5k2320
accept rate: 38%

So, what if I don't extract fields at search time but extract using the manager? Will splunk consider Password and password different? If so, am I always required to use eval and lower functions at reporting type?

(14 Jun '11, 12:08) rahiparikh

That is correct. You can make the regular expression insensitive to case, but not the value extracted. Eval must be used @ search time for this.

(14 Jun '11, 12:29) hazekamp

Wow! I didn't know that one! Thanks! :)

(14 Jun '11, 12:43) rahiparikh
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×2,651
×829
×440
×165
×21

Asked: 14 Jun '11, 07:12

Seen: 3,107 times

Last updated: 14 Jun '11, 12:43

Copyright © 2005-2014 Splunk Inc. All rights reserved.