Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Quadruple backslash required... bug or feature?

phatfingers
Explorer
‎08-29-2011 12:14 PM

I'm encountering something that seemed non-intuitive to me in my Search app through the web interface. I'm trying to discern if this is normal behaviour and I just need to adapt, or if I'm bumping into some sort of bug or configuration issue. I'd appreciate if someone would tell me, "Yes, that's how it's supposed to work for everyone" or "No, my Splunk instance behaves differently".

I've used regular expressions for years and am not seeking help understanding how to form or interpret a regular expression. I'm seeking, instead, to understand whether Splunk is escaping the characters of my string input to extract a regular expression prior to interpreting it.

When I use a tool like Regex Buddy, I expect the following definitions from a regular expression:

.  matches any character
\. matches a literal period character
\t matches a TAB character
\\ matches a BACKSLASH character

Let's say I use that list as my data set: four events, some with periods and some with backslashes.

If I want every line with a period, I would use the expression: "\."

If I want every line with a backslash, I would use the expression: "\\"

If I wanted to match on the two-character sequence, {backslash}{t}, above, what should that look like in Splunk's web search? For me, it's: "\\\\t".

Should I be keying in the expression itself, or should I be keying in the string that, after escaping, will make the expression I want interpreted?

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-29-2011 12:55 PM

Yes. It's not so much the web interface, as that the Splunk search commands in which you might use a regex (rex eval) take quoted string as arguments. These arguments include the regex itself. In order to express a quote inside the quoted string, you must escape it with a backslash, and in order to express a backslash, you must also escape it with a backslash.

There isn't a way (that I know) to express the regex using a "raw" string, where you don't have to quote those characters.

Note that when you provide a regex to Splunk outside of the search commands (e.g., in the transforms.conf configuration files), you don't have to deal with those string quoting rules, so you would express the regex plainly.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-29-2011 12:55 PM

Yes. It's not so much the web interface, as that the Splunk search commands in which you might use a regex (rex eval) take quoted string as arguments. These arguments include the regex itself. In order to express a quote inside the quoted string, you must escape it with a backslash, and in order to express a backslash, you must also escape it with a backslash.

There isn't a way (that I know) to express the regex using a "raw" string, where you don't have to quote those characters.

Note that when you provide a regex to Splunk outside of the search commands (e.g., in the transforms.conf configuration files), you don't have to deal with those string quoting rules, so you would express the regex plainly.

Reply
Solved! Jump to solution

phatfingers
Explorer
‎08-29-2011 01:01 PM

Thank you!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...