Hey all, need some help to something I didn't manage and couldn't find any solution online.
Assuming my data is of files and is indexed as JSON form as such:
{...some stuff..., FileContent: <this-file-content> ...some stuff...}
And what I want to do is find all files that have a certain word.
So, what I currently search is:
index=main source=.... | where like(FileContent, "%someword%")
But, I want to to ignore all the case of someword (SoMeWord would be found as well).
Use regular expressions if your actual matches are more complex: ... | regex FileContent="someword"
or ... | where match(FileContent, "someword")
If all you want is case-sensitive search, use CASE()
: http://docs.splunk.com/Documentation/Splunk/7.0.2/Search/UseCASEandTERMtomatchphrases
Case sensitivity is a bit intricate with Splunk, but keep in mind that just FileContent = someword
is case insensitive.
If you end up using search
or where
it gets interesting -
The following would work assuming someword
as lower in the events -
| search FileContent=someword
| search FileContent=Someword
| search FileContent="Someword"
| where FileContent="someword"
And these won't -
| where FileContent=someword
| where FileContent="Someword"
Meaning, the syntax of search
is equivalent to the regular search string while where
has regex syntax.
That's not quite accurate, where
only uses regex when told to, e.g. when using match()
. The equals sign is just that, a case sensitive equals sign. field=".*"
won't be true unless field
literally contains a dot and an asterisk.
Thank you @martin_mueller!
Use regular expressions if your actual matches are more complex: ... | regex FileContent="someword"
or ... | where match(FileContent, "someword")
If all you want is case-sensitive search, use CASE()
: http://docs.splunk.com/Documentation/Splunk/7.0.2/Search/UseCASEandTERMtomatchphrases
Match is apparently what I needed and not like. Thanks!