OutpostSecurity
commented
3 years ago There was an issue that was fixed in Splunk 7.2.5 where if you were searching a lookup with WILDCARD() and it was set to case insensitive it was not working. Could you make sure you are on 7.2.5 or greater and let me know if this is still an issue?
Here is a link to a community answer on this: https://community.splunk.com/t5/Splunk-Search/Why-I-can-t-use-case-insensitive-match-in-lookup-with-WILDCARD/m-p/429349
Hi, even thought the transforms specify non-case sensitive, the whitelisting is still case sensitive as Splunk wants the lookups to be lower case make case insensitive lookups. So when using the whitelisting panels, the data should be lowercased before writing the CSV to make it really case insensitive.