Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Are sourcetype names case-sensitive?

Justin_Grant
Contributor
‎05-07-2010 04:45 AM

Yet another case-sensitivity question: are sourcetype names case-sensitive?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎05-07-2010 07:25 PM

In search, no they are not. Note that this is very similar to the more general question:

http://answers.splunk.com/questions/65/are-field-values-case-sensitive

See my answer there. I go into a little more detail there which you might find interesting.

View solution in original post

Reply
Solved! Jump to solution

anwarmian
Communicator
‎05-23-2022 08:14 PM

sourcetype in props.conf in case-senstive

[MySourcetype] is different from [mysourcetype]
From Splunk Documentation (pros.conf)

By default, [source::<source>] and [<sourcetype>] stanzas match in a
case-sensitive manner, while [host::<host>] stanzas match in a
case-insensitive manner. This is a convenient default, given that DNS names
are case-insensitive.



0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎05-31-2010 01:53 PM

Well...in props.conf I think they will be (unless you express the stanza like: [::(?i)mYSourCeTypeName]. In thesearchcommand (which is implicit at the start of a query) they won't be, but forwherecomparisons in search queries,stats` values, etc., they will be.

It's not whether the names themselves are case-sensitive. It's whether whatever you're doing at the time is sensitive to the case of the names. It's more accurate to say that Splunk is case-sensitive in most places where you'd use a sourcetype name, and that the search command is actually an exception.

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎05-07-2010 07:25 PM

In search, no they are not. Note that this is very similar to the more general question:

http://answers.splunk.com/questions/65/are-field-values-case-sensitive

See my answer there. I go into a little more detail there which you might find interesting.

Reply
Solved! Jump to solution

CerielTjuh
Path Finder
‎05-07-2010 12:50 PM

You can try this yourself 🙂

sourcetype="wineventlog:security"

instead of

sourcetype="WinEventLog:Security"

both work, so I'm assuming its not case sensitive

Reply
Solved! Jump to solution

Zaphod
Engager
‎09-16-2020 01:48 PM

This is not my experience.

index=* sourcetype=Xmlwineventlog | stats count by sourcetype

returns stats for sourcetype XmlWinEventLog

index=* sourcetype=xmlwineventlog | stats count by sourcetype

returns stats for sourcetype XmlWinEventLog and sourcetype xmlwineventlog.

Reply
Solved! Jump to solution

agneticdk
Path Finder
‎01-19-2021 12:13 AM

I agree on the XmlWinEventLog vs xmlwineventlog. Splunk has something here that is not "normal" behavior.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...