- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why I can't use case insensitive match in lookup w...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My environment : Splunk Stand-Alone ver 7.2.3
I'd like to extract username that match with lookup case-insensitively, also I want to extract username that match with lookup using WILDCARD.
But in 7.2.3, I can't realize it.
* Although in 7.1.4, I can.
The settings and search used for verification are as follows.
transforms.conf
[test_case_insensitive]
batch_index_query = 0
case_sensitive_match = 0
filename = test_case_insensitive.csv
match_type = WILDCARD(status)
Lookup table : test_case_insensitive.csv
status,status2
"*AAAAA*","OK!"
Example search
| makeresults count=3
| streamstats count as c
| eval status=case(c=1, "###AAAAA###", c=2, "###aaaaa###", c=3, "###AAaaa###")
| lookup test_case_insensitive status OUTPUT status2
Is this a bug?
If someone know about it, please tell me, also give me workaround.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found it in known issues in 7.2.3
SPL-163932, SPL-164894
Disabling case_sensitive_match in transforms.conf not working for WILDCARD type lookups
Workaround:
You can normalise the data in the lookup (| eval field=lower(field)) before populating, and doing the same before looking it up.
If you need the denormalised version, you can create a different field for the lookup instead to still have access to the original.
Create lookup: ... | eval field=lower(field) | outputlookup
Use lookup: ... | eval matchfield=lower(field) | lookup matchfield ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found it in known issues in 7.2.3
SPL-163932, SPL-164894
Disabling case_sensitive_match in transforms.conf not working for WILDCARD type lookups
Workaround:
You can normalise the data in the lookup (| eval field=lower(field)) before populating, and doing the same before looking it up.
If you need the denormalised version, you can create a different field for the lookup instead to still have access to the original.
Create lookup: ... | eval field=lower(field) | outputlookup
Use lookup: ... | eval matchfield=lower(field) | lookup matchfield ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It was fixed in 7.2.5.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woot! amazing news
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes super annoying. Still not fixed as of 7.2.4. Splunk please fix!!
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
