I can test
\\[\w]+\\[\w]+\\(?<File_Path>.+) or simply \\\w+\\\w+\\(?<File_Path>.+)
in Rex101 and it works fine
In Splunk, | rex field=_raw "\[\w]+\[\w]+\(?<File_Path>.+)"
I get Regex: unmatched closing parenthesis.
What would be the proper way to escape the backslashes in Splunk, I have search for examples but with no definitive answers?
Raw data:
Application Information:
Process ID: 3160
Application Name: \device\harddiskvolume4\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
Network Information:
Direction: Outbound
I just want the output to be:
program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
in this example.
Hi @rfiscus,
You should add one more backslash for escape backslash like below;
| rex field=_raw "\\\[\w]+\\\[\w]+\\\(?<File_Path>.+)"
Haha, I tried two and four, apparently didn't try three. Thanks!