Solved: Can't I use backslashes in Splunk searches?

pavanae · ‎02-08-2023

I have a Splunk query as below which pulls some events.

index="windows_events" TargetFileName="*startup*"

Now from the events I picked the below TargetFileName field value

\Device\HarddiskVolume3\Users\XYZ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to AbC.lnk

Now I wanted to search specifically for the above field and for that I used the below query which gives me no results.

`get_All_CrowdstrikeEDR` event_simpleName=FileCreateInfo os="Win" TargetFileName="*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*"

Now, what I dont understand is when I tried the first query I am able to see some events though I used wild cards before and after startup

Now, when I extended the wild card with actual value why isn't working?

Can't I use backslashes in Splunk searches?

richgalloway · ‎02-08-2023

Have you tried escaping the backslashes? The \ character is used for escaping so to specify a \ you must escape it.

`get_All_CrowdstrikeEDR` event_simpleName=FileCreateInfo os="Win" TargetFileName="*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎02-08-2023

Have you tried escaping the backslashes? The \ character is used for escaping so to specify a \ you must escape it.

`get_All_CrowdstrikeEDR` event_simpleName=FileCreateInfo os="Win" TargetFileName="*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*"

---
If this reply helps you, Karma would be appreciated.

Can't I use backslashes in Splunk searches?

field extraction

fields

join

stats

timechart

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

Video | Tom’s Smartness Journey Continues

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?