Splunk Enterprise Security

Drill down with process path

Communicator

Hi all,

I am having major issues with creating drilldown to correlation searches, using tokens of the process paths.

The problem is that splunk doesn't know how to refer to the "\".

I have tried to modify the token and replace every "\" with "\", but with no luck.

Does anyone knows how to workaround this issue ?

Example for drilldown:

| from datamodel:Endpoint.Processes
| search processpath = $processpath $ AND dest=$dest$

** $process_path$="C:\Program Files\Windows Defender Advanced Threat Protection\Classification\SenseCE.exe"

Thanks in advance !

0 Karma