What are the proper names for search terms and/or what does "search term" refer to? Is that case sensitive/insensitive? Can any one help on this?
A bit more about it at are search language keywords case-sensitive?
Search terms are not case sensitive, though field names are. A search like
sourcetype=WinEventLog error
That searches for a field named exactly sourcetype
(it wouldn't match SourceType or SOURCETYPE, but will only match it if it's all lower case) for where the field sourcetype has a value of wineventlog
. The wineventlog
is not case sensitive, it's a search term, so wineventlog
matches WinEventLog
, wineventlog
, or any other combination of upper and lowercase.
Ditto error
. "Error" wasn't on the left hand side of an equals sign at any point like sourcetype
was (which isn't a perfect rule, but usually works) so it's case insensitive. It'll match ERROR, error, Error, ERRor, errOr - anything with those 5 letters in a row, regardless of case.
Hope that helps, and happy Splunking!
-Rich
Beware to eventtypes and tags that are case sensitive!
Bye.
Giuseppe