Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search query with like() func ignoring case

zionsof
Engager
‎02-25-2018 12:48 AM

Hey all, need some help to something I didn't manage and couldn't find any solution online.

Assuming my data is of files and is indexed as JSON form as such:

{...some stuff..., FileContent: <this-file-content> ...some stuff...}

And what I want to do is find all files that have a certain word.
So, what I currently search is:

index=main source=.... | where like(FileContent, "%someword%")

But, I want to to ignore all the case of someword (SoMeWord would be found as well).

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-25-2018 05:07 AM

Use regular expressions if your actual matches are more complex: ... | regex FileContent="someword" or ... | where match(FileContent, "someword")
If all you want is case-sensitive search, use CASE(): http://docs.splunk.com/Documentation/Splunk/7.0.2/Search/UseCASEandTERMtomatchphrases

View solution in original post

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎02-25-2018 12:41 PM

Case sensitivity is a bit intricate with Splunk, but keep in mind that just FileContent = someword is case insensitive.

If you end up using search or where it gets interesting -

The following would work assuming someword as lower in the events -

    | search FileContent=someword  
    | search FileContent=Someword  
    | search FileContent="Someword" 
    | where  FileContent="someword"

And these won't -

    | where FileContent=someword 
    | where FileContent="Someword"

Meaning, the syntax of search is equivalent to the regular search string while where has regex syntax.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-25-2018 01:58 PM

That's not quite accurate, where only uses regex when told to, e.g. when using match(). The equals sign is just that, a case sensitive equals sign. field=".*" won't be true unless field literally contains a dot and an asterisk.

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎02-25-2018 02:01 PM

Thank you @martin_mueller!

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-25-2018 05:07 AM

Use regular expressions if your actual matches are more complex: ... | regex FileContent="someword" or ... | where match(FileContent, "someword")
If all you want is case-sensitive search, use CASE(): http://docs.splunk.com/Documentation/Splunk/7.0.2/Search/UseCASEandTERMtomatchphrases

Reply
Solved! Jump to solution

zionsof
Engager
‎02-25-2018 06:01 AM

Match is apparently what I needed and not like. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...