Hi,
I am trying to extract a field from logs and generate report from it. Basically, I am trying to identify the authentication method.
My current search looks like -
* | rex "(?<authentication_type>(?i)(password))" | search password
This extracts a field called authentication_type with value password. But, it considers Password and password to be two different values. Does anyone know how can I force splunk to consider both the same values?
Thanks,
Rahil
Splunk's search command is case insensitive. When creating a report, Splunk will consider these to be seperate values. If you want to make reporting commands insensitive to the case of a field, we can convert the field using eval and lower.
For example:
* | rex "(?<authentication_type>(?i)(password))" | eval authentication_type=lower(authentication_type) | search authentication_type=password
Splunk's search command is case insensitive. When creating a report, Splunk will consider these to be seperate values. If you want to make reporting commands insensitive to the case of a field, we can convert the field using eval and lower.
For example:
* | rex "(?<authentication_type>(?i)(password))" | eval authentication_type=lower(authentication_type) | search authentication_type=password
Wow! I didn't know that one! Thanks! 🙂
That is correct. You can make the regular expression insensitive to case, but not the value extracted. Eval must be used @ search time for this.
How to make regular expression insensitive to case?
So, what if I don't extract fields at search time but extract using the manager? Will splunk consider Password and password different? If so, am I always required to use eval and lower functions at reporting type?