Hi,

I have found a strange behaviour in the Splunk Add-on for Windows: it contains some transformations, used to extract CIM-compliant fields, which are not correctly processed. After some analysis, I found out that all the transforms which include a REGEX ending with an escaped "backslask" are not processed correctly.

For instance, this transformation is not processed at search time:

[Security_ID_as_dest_nt_domain]
SOURCE_KEY = Security_ID
REGEX = (.+)\\
FORMAT = dest_nt_domain::"$1"

In addition, when I try to edit these transformations using the GUI, I see that the existing REGEX is read by Splunk as:

(.+)\\FORMAT = dest_nt_domain::"$1"

In my opinion, something is going wrong when Splunk is parsing a regex ending with an escaped backslash.

Has anybody incurred the same problem? I am using Splunk 6.2.0 and Splunk_TA_windows 4.7.4 (but I see the same regex in transforms.conf of Splunk_TA_windows 4.7.5).

At present, as a workaround, I have created a "transforms.conf" in Splunk_TA_windows/local , overriding the transforms which use regular expressions ending with an escaped backslash. I rewrite the REGEX enclosing the ending backslashes in square brackets.

For instance, the above mentioned transformation becomes:

[Security_ID_as_dest_nt_domain]
SOURCE_KEY = Security_ID
REGEX = (.+)[\\]
FORMAT = dest_nt_domain::"$1"