As @gcusello says, backslashes have to be escaped. The way regex works is that the strings are processed twice, so backslashes have to be escaped again, so to match to a backslash, you need four backslashes in the expression for each backslash you are trying to match to. This means that your expression is looking for a double backslash (\\) in ImagePath.
Hi
here is @xpac 's excellent post about escaping \ on splunk https://community.splunk.com/t5/Splunk-Enterprise/How-many-escapes-quot-quot-do-I-need-in-conf-file-...
r. Ismo
As @gcusello says, backslashes have to be escaped. The way regex works is that the strings are processed twice, so backslashes have to be escaped again, so to match to a backslash, you need four backslashes in the expression for each backslash you are trying to match to. This means that your expression is looking for a double backslash (\\) in ImagePath.
Hi @jip31,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
Hi @jip31,
we could better help you if you share a sample of your logs.
Anyway, 4 back slashes are often required wen in you logs you have a back slash that must be escaped to avoid that SPL interpretes it a control char.
Ciao.
Giuseppe