https://community.splunk.com/t5/Splunk-Search/replace-one-backslash-by-double-backslash/m-p/102798#M26556 <P>Hello!<BR /> I need to provide search only in earliest source in my sourcetype. <BR /> I use this search request for this purposes:<BR /> sourcetype="mysourcetype" | stats earliest(source) as firstsource | search source=firstsource<BR /> But I get error "No results found". <BR /> I found that the firstsource of returns in the form of <CODE>D:\MyFolder\Mysourcename.gz</CODE> while for a successful search must have a value as <CODE>D:\\MyFolder\\Mysourcename.gz</CODE> <BR /> How can I replace <CODE>\</CODE> to <CODE>\\</CODE>?</P> Mon, 22 Apr 2013 09:01:49 GMT ryastrebov 2013-04-22T09:01:49Z https://community.splunk.com/t5/Splunk-Search/replace-one-backslash-by-double-backslash/m-p/102798#M26556 <P>Hello!<BR /> I need to provide search only in earliest source in my sourcetype. <BR /> I use this search request for this purposes:<BR /> sourcetype="mysourcetype" | stats earliest(source) as firstsource | search source=firstsource<BR /> But I get error "No results found". <BR /> I found that the firstsource of returns in the form of <CODE>D:\MyFolder\Mysourcename.gz</CODE> while for a successful search must have a value as <CODE>D:\\MyFolder\\Mysourcename.gz</CODE> <BR /> How can I replace <CODE>\</CODE> to <CODE>\\</CODE>?</P> Mon, 22 Apr 2013 09:01:49 GMT https://community.splunk.com/t5/Splunk-Search/replace-one-backslash-by-double-backslash/m-p/102798#M26556 ryastrebov 2013-04-22T09:01:49Z https://community.splunk.com/t5/Splunk-Search/replace-one-backslash-by-double-backslash/m-p/102799#M26557 <PRE><CODE>sourcetype="mysourcetype" | stats earliest(source) as firstsource | rex field=firstsource mode=sed "s/\\/\\\\/g" | search source=firstsource </CODE></PRE> <P>I think this will work. Note that you'll probably need to escape the backslashes within the rex statement, like above.</P> <HR /> <P>UPDATE:</P> <P>There seems to some issues with backslashes and sed, apparently. Perhaps this can give some guidance.</P> <P><A href="http://splunk-base.splunk.com/answers/24026/sedcmd-special-requirement-for-backslash">http://splunk-base.splunk.com/answers/24026/sedcmd-special-requirement-for-backslash</A> </P> <P>/K</P> Mon, 22 Apr 2013 09:10:37 GMT https://community.splunk.com/t5/Splunk-Search/replace-one-backslash-by-double-backslash/m-p/102799#M26557 kristian_kolb 2013-04-22T09:10:37Z https://community.splunk.com/t5/Splunk-Search/replace-one-backslash-by-double-backslash/m-p/102800#M26558 <P>I get error "Error in 'rex' command: Failed to initialize sed. Failed to parse the regex to replace."</P> Mon, 22 Apr 2013 09:37:48 GMT https://community.splunk.com/t5/Splunk-Search/replace-one-backslash-by-double-backslash/m-p/102800#M26558 ryastrebov 2013-04-22T09:37:48Z https://community.splunk.com/t5/Splunk-Search/replace-one-backslash-by-double-backslash/m-p/102801#M26559 <P>There's something wacky about how the Splunk regex parser interprets backslashes. As a rule of thumb, to match a literal backslash you need one more than you think you do. This should work:</P> <P><CODE>rex mode=sed field=foo "s/(\\\)/\1\1/g"</CODE></P> Wed, 14 Jun 2017 16:50:46 GMT https://community.splunk.com/t5/Splunk-Search/replace-one-backslash-by-double-backslash/m-p/102801#M26559 cphair 2017-06-14T16:50:46Z https://community.splunk.com/t5/Splunk-Search/replace-one-backslash-by-double-backslash/m-p/102802#M26560 <P>Hello, I tried adding this in CLI search job script using curl and getting no result, any idea? Thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 22 Mar 2019 15:32:03 GMT https://community.splunk.com/t5/Splunk-Search/replace-one-backslash-by-double-backslash/m-p/102802#M26560 splunkreal 2019-03-22T15:32:03Z https://community.splunk.com/t5/Splunk-Search/replace-one-backslash-by-double-backslash/m-p/102803#M26561 <PRE><CODE>SOLVED : needed to escape again : "s/(\\\\\)/\1\1/g" </CODE></PRE> Mon, 25 Mar 2019 10:03:01 GMT https://community.splunk.com/t5/Splunk-Search/replace-one-backslash-by-double-backslash/m-p/102803#M26561 splunkreal 2019-03-25T10:03:01Z https://community.splunk.com/t5/Splunk-Search/replace-one-backslash-by-double-backslash/m-p/510505#M142880 <P>eval new_path = replace( old_path ,"(\\\\)","\\\\\1")</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P>&nbsp;</P> Wed, 22 Jul 2020 18:00:22 GMT https://community.splunk.com/t5/Splunk-Search/replace-one-backslash-by-double-backslash/m-p/510505#M142880 manan_amin 2020-07-22T18:00:22Z