I think there is a misunderstanding. This is a discussion on how the Splunk searchbnf.conf parser has undocumented and unwanted behavior, not about any particular app or any 3rd party commands.

For the highlighting, it appears that it has affected Splunk as well.  You can look at the shelper response to see the raw text, so the highlighting appears to be in the browser, not in the backend.

Note: if you want to use the "or" ("|") command

regex (field("="|"!="))?((\")?string(\")?)

If you look at the chart command, it does the same to the BY/OVER that is capitalized in the source.

The default searchbnf.conf file located here in $SPLUNK_HOME/etc/system/default

Says this:

UPPERCASETERMS and quoted terms are put into <code/>

So when you have something like CSV, PDF, "myindex" the text appears in green color.

Sincerely,

Laura Stewart

Principal Technical Writer – Search Processing Language (SPL)

That is there, under the "DESCRIPTION FORMATTING" section.

The earlier "FORMATTING" section states to use \" to represent a quote. This is not directly aligned with the Description Formatting and does not work in a description.

The "\" is also shown as "\\", which is not documented.

Based on the descriptions shown above that were written by Splunk, it appears that this behavior was not understood by Splunk authors, or the parsing behavior changed and the descriptions were not updated.

The only concern I have with @lstewart_splunk's accurate answer, is that the current behavior breaks the description syntax for stock Splunk commands, as shown above for regex.  The Splunk authors for the regex syntax apparently expected that (\")?string(\")? would be shown as (")?string(")?, but instead, it is strangely highlighted.

I tried the following, with no luck.

AAAA _BBBB_ \CCCC "DDDD" 'EEEE' `FFFF`

 I was surprised to see backslashes escaped, and the underscore after BBBB is highlighted but the underscore after is not. 

I replicated this issue with Splunk versions 7.2 and 8.0.