I am trying to extract a field from logs and generate report from it. Basically, I am trying to identify the authentication method.
My current search looks like -
* | rex "(?<authentication_type>(?i)(password))" | search password
This extracts a field called authentication_type with value password. But, it considers Password and password to be two different values. Does anyone know how can I force splunk to consider both the same values?
Splunk's search command is case insensitive. When creating a report, Splunk will consider these to be seperate values. If you want to make reporting commands insensitive to the case of a field, we can convert the field using eval and lower.
* | rex "(?<authentication_type>(?i)(password))" | eval authentication_type=lower(authentication_type) | search authentication_type=password
Multi-value Field extraction 2 Answers