DBConnect indexing field with backslash character

mcomfurf · ‎12-31-2015

I'm indexing a field with DBConnect that contains the backslash character, eg \, in order to escape quotation marks and hyphens within the data. This has a side effect of breaking the field extraction after the first \ character. Has anyone encountered this problem, and if so, how do you work around it?

mcomfurf · ‎01-04-2016

I had trouble getting the sed approach to work, though I can see how that might bear fruit if I took more time to wrestle with it. I wound up creating a new field extraction and that solved the problem.

jkat54 · ‎01-06-2016

Did you use double backslash in your "new field extraction"? If so, please accept my answer. If you used another pattern, please post it here and mark it as the answer.

mcomfurf · ‎01-06-2016

I did not; I was able to use a simple regex based on the field's position: ^(?:[^=\n]*=){5}(?P.+)

jkat54 · ‎01-01-2016

Have you tried a double backslash instead?

Maybe use rex or sedcmd to remove the backslash from the _raw field?

... | rex mode=sed field=_raw "s/\\//g"| ...

DBConnect indexing field with backslash character

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

DBConnect indexing field with backslash character

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine