Hi, I have a custom search get input as raw string, but when I combine splunk don't understand that, it always return error
Example:
|example rawstring="{"EventCode": "13","EventType": "SetValue","TargetObject": "(?mi)Software[//\\\\]{0,2}Microsoft[//\\\\]{0,2}Windows[//\\\\]{0,2}CurrentVersion[//\\\\]{0,2}Run"}}"
Can anyone help me pass it, thanks in advance
hi @thanhnhhe130698,
You have double quotes in the raw string, put a backslash before each double quote.
rawstring="{\"EventCode\": \"13\",\"EventType\": \"SetValue\",\"TargetObject\": \"(?mi)Software[//\\\\]{0,2}Microsoft[//\\\\]{0,2}Windows[//\\\\]{0,2}CurrentVersion[//\\\\]{0,2}Run\"}}"
If this reply helps you, a like would be appreciated.
Hi @manjunathmeti , thanks for your reply, it works but splunk still format string '//\\\\' to '//\\',do you have a way to fix this? thank you very much
You need to escape a backslash character ( \ ). Use the sequence \\ to escape single \.
rawstring="{\"EventCode\": \"13\",\"EventType\": \"SetValue\",\"TargetObject\": \"(?mi)Software[//\\\\\\\\]{0,2}Microsoft[//\\\\\\\\]{0,2}Windows[//\\\\\\\\]{0,2}CurrentVersion[//\\\\\\\\]{0,2}Run\"}}"