Splunk Enterprise Security

Drill down with process path


Hi all,

I am having major issues with creating drilldown to correlation searches, using tokens of the process paths.

The problem is that splunk doesn't know how to refer to the "\".

I have tried to modify the token and replace every "\" with "\", but with no luck.

Does anyone knows how to workaround this issue ?

Example for drilldown:

| from datamodel:Endpoint.Processes
| search process_path = $process_path $ AND dest=$dest$

** $process_path$="C:\Program Files\Windows Defender Advanced Threat Protection\Classification\SenseCE.exe"

Thanks in advance !

0 Karma