I have found a strange behaviour in the Splunk Add-on for Windows: it contains some transformations, used to extract CIM-compliant fields, which are not correctly processed. After some analysis, I found out that all the transforms which include a REGEX ending with an escaped "backslask" are not processed correctly.
For instance, this transformation is not processed at search time:
[Security_ID_as_dest_nt_domain] SOURCE_KEY = Security_ID REGEX = (.+)\\ FORMAT = dest_nt_domain::"$1"
In addition, when I try to edit these transformations using the GUI, I see that the existing REGEX is read by Splunk as:
(.+)\\FORMAT = dest_nt_domain::"$1"
In my opinion, something is going wrong when Splunk is parsing a regex ending with an escaped backslash.
Has anybody incurred the same problem? I am using Splunk 6.2.0 and SplunkTAwindows 4.7.4 (but I see the same regex in transforms.conf of SplunkTAwindows 4.7.5).
At present, as a workaround, I have created a "transforms.conf" in SplunkTAwindows/local , overriding the transforms which use regular expressions ending with an escaped backslash. I rewrite the REGEX enclosing the ending backslashes in square brackets.
For instance, the above mentioned transformation becomes:
[Security_ID_as_dest_nt_domain] SOURCE_KEY = Security_ID REGEX = (.+)[\\] FORMAT = dest_nt_domain::"$1"
Actually the workaround seems to work correctly: in these weeks I had not any problem with the extractions. However I submitted a "bug report" to Splunk.
I think this question can be closed, considering the workaround as solution.