Splunk Search

Why I can't use case insensitive match in lookup with WILDCARD?

yutaka1005
Builder

My environment : Splunk Stand-Alone ver 7.2.3

I'd like to extract username that match with lookup case-insensitively, also I want to extract username that match with lookup using WILDCARD.

But in 7.2.3, I can't realize it.
* Although in 7.1.4, I can.

The settings and search used for verification are as follows.

transforms.conf

[test_case_insensitive]
batch_index_query = 0
case_sensitive_match = 0
filename = test_case_insensitive.csv
match_type = WILDCARD(status)

Lookup table : test_case_insensitive.csv

status,status2
"*AAAAA*","OK!"

Example search

| makeresults count=3 
| streamstats count as c 
| eval status=case(c=1, "###AAAAA###", c=2, "###aaaaa###", c=3, "###AAaaa###") 
| lookup test_case_insensitive status OUTPUT status2

Is this a bug?
If someone know about it, please tell me, also give me workaround.

0 Karma
1 Solution

yutaka1005
Builder

I found it in known issues in 7.2.3

SPL-163932, SPL-164894

Disabling case_sensitive_match in transforms.conf not working for WILDCARD type lookups

Workaround:
You can normalise the data in the lookup (| eval field=lower(field)) before populating, and doing the same before looking it up.
If you need the denormalised version, you can create a different field for the lookup instead to still have access to the original.

Create lookup: ... | eval field=lower(field) | outputlookup

Use lookup: ... | eval matchfield=lower(field) | lookup matchfield ...

View solution in original post

yutaka1005
Builder

I found it in known issues in 7.2.3

SPL-163932, SPL-164894

Disabling case_sensitive_match in transforms.conf not working for WILDCARD type lookups

Workaround:
You can normalise the data in the lookup (| eval field=lower(field)) before populating, and doing the same before looking it up.
If you need the denormalised version, you can create a different field for the lookup instead to still have access to the original.

Create lookup: ... | eval field=lower(field) | outputlookup

Use lookup: ... | eval matchfield=lower(field) | lookup matchfield ...

yutaka1005
Builder

It was fixed in 7.2.5.

0 Karma

pj
Contributor

woot! amazing news

0 Karma

pj
Contributor

Yes super annoying. Still not fixed as of 7.2.4. Splunk please fix!!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...