- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- How to run search on lookup file with case insensi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi ,
I have a lookup file with million of records, there are user name with lower or upper case. I need to match the user name irrespective of case. I have added a lookup defn ( with case sensitive check box unticked). I can see in transform.conf that match_case_sensitive=0
But still search is running with case sensitive.
I am using Splunk 8.0. Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have to perform your lookup through the lookup definition, not the lookup file so try using lookupsplunk (or whatever the name of your lookup definition is), instead of lookupsplunk.csv, like this:
index="x" AND sourcetype="Y"
| rex "(?:Users%5C)(?(.*))(?:%5C(AppData|Desk))"
| lookup lookupsplunk user AS UserID OUTPUT Office Country UserName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have to perform your lookup through the lookup definition, not the lookup file so try using lookupsplunk (or whatever the name of your lookup definition is), instead of lookupsplunk.csv, like this:
index="x" AND sourcetype="Y"
| rex "(?:Users%5C)(?(.*))(?:%5C(AppData|Desk))"
| lookup lookupsplunk user AS UserID OUTPUT Office Country UserName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome , thank you very much !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index="x"
| rex field=_raw "(?:Users%5C)(?<UserID>(.*))(?:%5C(AppData|Desk))"
| inputlookup lookupspluk.csv append=t
| eval UserID=coalesce(lower(UserId),lower(user))
| eventstats values(Office) as Office ,values(Country) as Country ,values(UserName) as UserName by UserID
at first, check your POST message, some strings is missing.
and let's make a lookup with lowercase or uppercase username.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Show us your search SPL.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index="x" | rex field=_raw "(?:Users%5C)(?(.*))(?:%5C(AppData|Desk))" | lookup lookupspluk.csv user as UserID OUTPUT Office,Country,UserName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@woodcock - any suggestions. M still stuck , even though I have the stanza in transform.conf . I have also tried to put 0 in place of false
[ColleagueLookup]
filename = colleaguecountry_splunk_NewSQL.csv
case_sensitive_match = false
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
