My environment : Splunk Stand-Alone ver 7.2.3
I'd like to extract username that match with lookup case-insensitively, also I want to extract username that match with lookup using WILDCARD.
But in 7.2.3, I can't realize it.
* Although in 7.1.4, I can.
The settings and search used for verification are as follows.
transforms.conf
[test_case_insensitive]
batch_index_query = 0
case_sensitive_match = 0
filename = test_case_insensitive.csv
match_type = WILDCARD(status)
Lookup table : test_case_insensitive.csv
status,status2
"*AAAAA*","OK!"
Example search
| makeresults count=3
| streamstats count as c
| eval status=case(c=1, "###AAAAA###", c=2, "###aaaaa###", c=3, "###AAaaa###")
| lookup test_case_insensitive status OUTPUT status2
Is this a bug?
If someone know about it, please tell me, also give me workaround.
I found it in known issues in 7.2.3
SPL-163932, SPL-164894
Disabling case_sensitive_match in transforms.conf not working for WILDCARD type lookups
Workaround:
You can normalise the data in the lookup (| eval field=lower(field)) before populating, and doing the same before looking it up.
If you need the denormalised version, you can create a different field for the lookup instead to still have access to the original.
Create lookup: ... | eval field=lower(field) | outputlookup
Use lookup: ... | eval matchfield=lower(field) | lookup matchfield ...
I found it in known issues in 7.2.3
SPL-163932, SPL-164894
Disabling case_sensitive_match in transforms.conf not working for WILDCARD type lookups
Workaround:
You can normalise the data in the lookup (| eval field=lower(field)) before populating, and doing the same before looking it up.
If you need the denormalised version, you can create a different field for the lookup instead to still have access to the original.
Create lookup: ... | eval field=lower(field) | outputlookup
Use lookup: ... | eval matchfield=lower(field) | lookup matchfield ...
It was fixed in 7.2.5.
woot! amazing news
Yes super annoying. Still not fixed as of 7.2.4. Splunk please fix!!