How to Make Search String Case Sensitive in Splunk

How to Make Search String Case Sensitive in Splunk

In this post we are going to share how to make search string case sensitive in Splunk. There are two ways by which you can make search string case sensitive :

Process 1:

By the search command in Splunk you can easily make a search string case sensitive. Below we have given the queries :

Query 1:

Find a search string which is in Upper-Case

index=”test” sourcetype=”testlog”
| search CASE(ABHAY)

Result:

sc1

Explanation :

 In the above query test is the index name and sourcetype name is testlog. We have used CASE function with search command to make the search string case sensitive. Here by the search command we are getting only those events where given search string(ABHAY) is in Upper-Case .

****************************************************************************

Query 2:

Find a search string which is in Lower-Case

index=”test” sourcetype=”testlog”
| search CASE(abhay)

Result:

sc2

Explanation :

 In the above query test is the index name and sourcetype name is testlog. We have used CASE function with search command to make the search string case sensitive. Here by the search command we are getting only those events where given search string(abhay) is in Lower-Case .

***********************************************************************************

Process 2:

By the regex command in splunk you can easily make a search string case sensitive. Below we have given the queries :

Query 1:

Find a search string which is in Upper-Case

index=”test” sourcetype=”testlog”
| regex “(?=ABHAY)”

Result:

sc3

Explanation :

In the above query test is the index name and sourcetype name is testlog. With the help of regex command we can perfectly match the search string (ABHAY) which is in Upper-Case . We have used “?” sign for perfect matching. At last we are getting only those events where given search string(ABHAY) is in Upper-Case .

********************************************************************************

Query 2:

Find a search string which is in Lower-Case

index=”test” sourcetype=”testlog”
| regex “(?=abhay)”

Result:

sc4

Explanation :

In the above query test is the index name and sourcetype name is testlog. With the help of regex command we can perfectly match the search string (abhay) which is in Lower-Case. We have used “?” sign for perfect matching. At last we are getting only those events where given search string(abhay) is in Lower-Case .

Hope this has helped you in achieving the below requirement without fail :

How to Make Search String Case Sensitive in Splunk

 

Happy Splunking !!

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.