I am trying to match a directory path including the string "\Users" but Splunk is throwing an error:
| rex field=TargetFilename "C:\\Users\\\w+\\AppData\\(?<File_Dir>.*)\."
Error in 'rex' command: Encountered the following error while compiling the regex 'C:\Users\\w+\AppData\(?<File_Dir>.*)\.': Regex: PCRE does not support \L, \l, \N{name}, \U, or \u.
How can I literally match the path?
Splunk rex requires you to double up backslashes when trying to escape them
| makeresults
| eval TargetFilename="C:\\Users\\abc\\AppData\\tom.**bleep**.harry"
| rex field=TargetFilename "C:\\\\Users\\\\\w+\\\\AppData\\\\(?<File_Dir>.*)\."
Splunk rex requires you to double up backslashes when trying to escape them
| makeresults
| eval TargetFilename="C:\\Users\\abc\\AppData\\tom.**bleep**.harry"
| rex field=TargetFilename "C:\\\\Users\\\\\w+\\\\AppData\\\\(?<File_Dir>.*)\."
@ITWhisperer
The actual directory is something like this, "C:\Users\abc\Downloads\file.exe"
In your example, 4 backslashes would match literal 2 consecutive backslashes such as "\\" no?
No, you need 4 backslashes to match with 1 backslash
That is a runanywhere example, just copy it into a search in splunk and look at the _raw field and the result
Ok I see that.
But how come in your eval statement you needed only 2 backslashes for 1 literal backslash?
I also tried changing it to one literal backslash in the eval and it still produce 1 literal backslash in the resulting value?
There are two levels of escaping in play here.
If you just do "\\" i a regex definition, splunk parsing the search and creating the string variable representing the regex will escape the backslash. That's the first level of escaping.
Thus if you do "\\\\" splunk creates a string consisting of two consecutive backslashes.
Now this string is getting supplied to the regex processor which also needs the backslash to be escaped to be treated as a literal backslash character.
So you need "\\\\" to be properly escaped (twice) in order to match single backslash character.
With eval you have only one level of escaping since you're only building a string, not processing regex afterwards.
Just be glad that you're not trying to write a bash script. Proper escaping when you want to supply the arguments somewhere can give you a migraine XD
The backslash has to be escaped with a backslash in a string (for the eval).
Look at the _raw field created by the search, it only has single backslashes in, just like your data.
For the rex, the string is passed through as a string and has to be escaped a second time, hence the doubling up.