I'm trying to match events in transforms.conf on key=value strings. (like EventCode=103 and so on).
It wouldn't work unless I did escape the equals sign with backslash. So config entry like
REGEX=ComputerName=whatever.domain.com
Doesn't seem to work, but
REGEX=ComputerName\=whatever.domain.com
does.
And I generally don't mind it but I would love to see a piece of docs that says that the equals sign has to be ascaped. Normally it doesn't so I have no idea if it's something to do with regex itself, or with conf file parsing.
Can anyone point me to a proper doc?
@PickleRick Hey, There is not any exact document for only a "=" but you can find a doc for regex and you can get more info with this:
https://docs.splunk.com/Documentation/SCS/current/Search/Escapecharacters
Also, If this reply helps you, an upvote would be appreciated.
Yeah, I know that but that covers regular regex syntax (which is more-or less PCRE) and escaping special characters. And equals sign is not special (at least in regex).
As I said, I found a mention about escaping the equals sign on few posts on community but nothing in official docs 😕
@PickleRick Here is the official link from splunk where the list of all the special characters are mentioned, Also the "equal to" sign is present:
https://docs.splunk.com/Documentation/StyleGuide/current/StyleGuide/Specialcharacters
Also, If this reply helps you, an upvote would be appreciated.
Well yes, but it's a style guide, not a conf file spec 😉
Yeah, I know. I already "fixed" a thing or two on the doc pages 🙂