I am having major issues with creating drilldown to correlation searches, using tokens of the process paths.
The problem is that splunk doesn't know how to refer to the "\".
I have tried to modify the token and replace every "\" with "\", but with no luck.
Does anyone knows how to workaround this issue ?
Example for drilldown:
| from datamodel:Endpoint.Processes
| search process_path = $process_path $ AND dest=$dest$
** $process_path$="C:\Program Files\Windows Defender Advanced Threat Protection\Classification\SenseCE.exe"
Thanks in advance !