https://community.splunk.com/t5/Splunk-Search/Events-with-Tab-Delimited-values/m-p/462958#M191476 <P>Hi All,</P> <P>I have some logs which are mostly tab delimited I used props and transforms to set up the delimited extractions but in a few logs we have back slash("\") as a field value. Looks like Splunk is unable to handle the same with delimited extractions. </P> <P>has anyone faced similar issue earlier or if there is any solution for the same.</P> <P>Example Below:</P> <P>Sample Logs:<BR /> Log1: Hostname abc \ xyz<BR /> Log2: Hostname abc domain\username xyz</P> <P>Currently with delimited extraction: I am getting below values<BR /> Log 1:<BR /> Field 1: Hostname<BR /> Field 2:abc<BR /> Field 3: \<BR /><BR /> xyz</P> <P>Log 2: <BR /> Field 1: Hostname<BR /> Field 2:abc<BR /> Field 3: domain\username<BR /> Field 4: xyz</P> Wed, 28 Aug 2019 01:18:46 GMT akshatj2 2019-08-28T01:18:46Z https://community.splunk.com/t5/Splunk-Search/Events-with-Tab-Delimited-values/m-p/462958#M191476 <P>Hi All,</P> <P>I have some logs which are mostly tab delimited I used props and transforms to set up the delimited extractions but in a few logs we have back slash("\") as a field value. Looks like Splunk is unable to handle the same with delimited extractions. </P> <P>has anyone faced similar issue earlier or if there is any solution for the same.</P> <P>Example Below:</P> <P>Sample Logs:<BR /> Log1: Hostname abc \ xyz<BR /> Log2: Hostname abc domain\username xyz</P> <P>Currently with delimited extraction: I am getting below values<BR /> Log 1:<BR /> Field 1: Hostname<BR /> Field 2:abc<BR /> Field 3: \<BR /><BR /> xyz</P> <P>Log 2: <BR /> Field 1: Hostname<BR /> Field 2:abc<BR /> Field 3: domain\username<BR /> Field 4: xyz</P> Wed, 28 Aug 2019 01:18:46 GMT https://community.splunk.com/t5/Splunk-Search/Events-with-Tab-Delimited-values/m-p/462958#M191476 akshatj2 2019-08-28T01:18:46Z https://community.splunk.com/t5/Splunk-Search/Events-with-Tab-Delimited-values/m-p/462959#M191477 <P>you need 3 backslashes<BR /> somethinf like this</P> <P>[source::blah blah]<BR /> SEDCMD-removebackslsh = s/\\//g</P> <P>test on the web first</P> <PRE><CODE> | makeresults | eval x="Hostname abc \ xyz" | rex mode=sed field=x "s/\\\//g" </CODE></PRE> Wed, 28 Aug 2019 08:02:22 GMT https://community.splunk.com/t5/Splunk-Search/Events-with-Tab-Delimited-values/m-p/462959#M191477 Sukisen1981 2019-08-28T08:02:22Z https://community.splunk.com/t5/Splunk-Search/Events-with-Tab-Delimited-values/m-p/462960#M191478 <P>hi @ akshatj2<BR /> Please accept the answer if it helped resolve your issue, or let us know what more is needed to resolve your issue</P> Thu, 29 Aug 2019 16:27:22 GMT https://community.splunk.com/t5/Splunk-Search/Events-with-Tab-Delimited-values/m-p/462960#M191478 Sukisen1981 2019-08-29T16:27:22Z https://community.splunk.com/t5/Splunk-Search/Events-with-Tab-Delimited-values/m-p/462961#M191479 <P>Hi Sukisen</P> <P>Thank you for suggestion but my we do not want to remove the backslash available. We wanted to parse that backslash as a filed value using delimiter. Looks like I have found a solution though I am just testing it and should post the answer soon.</P> Thu, 29 Aug 2019 16:45:48 GMT https://community.splunk.com/t5/Splunk-Search/Events-with-Tab-Delimited-values/m-p/462961#M191479 akshatj2 2019-08-29T16:45:48Z