Splunk Search

Quadruple backslash required... bug or feature?

Explorer

I'm encountering something that seemed non-intuitive to me in my Search app through the web interface. I'm trying to discern if this is normal behaviour and I just need to adapt, or if I'm bumping into some sort of bug or configuration issue. I'd appreciate if someone would tell me, "Yes, that's how it's supposed to work for everyone" or "No, my Splunk instance behaves differently".

I've used regular expressions for years and am not seeking help understanding how to form or interpret a regular expression. I'm seeking, instead, to understand whether Splunk is escaping the characters of my string input to extract a regular expression prior to interpreting it.

When I use a tool like Regex Buddy, I expect the following definitions from a regular expression:

.  matches any character
\. matches a literal period character
\t matches a TAB character
\\ matches a BACKSLASH character

Let's say I use that list as my data set: four events, some with periods and some with backslashes.

If I want every line with a period, I would use the expression: "\."

If I want every line with a backslash, I would use the expression: "\\"

If I wanted to match on the two-character sequence, {backslash}{t}, above, what should that look like in Splunk's web search? For me, it's: "\\\\t".

Should I be keying in the expression itself, or should I be keying in the string that, after escaping, will make the expression I want interpreted?

1 Solution

Splunk Employee
Splunk Employee

Yes. It's not so much the web interface, as that the Splunk search commands in which you might use a regex (rex eval) take quoted string as arguments. These arguments include the regex itself. In order to express a quote inside the quoted string, you must escape it with a backslash, and in order to express a backslash, you must also escape it with a backslash.

There isn't a way (that I know) to express the regex using a "raw" string, where you don't have to quote those characters.

Note that when you provide a regex to Splunk outside of the search commands (e.g., in the transforms.conf configuration files), you don't have to deal with those string quoting rules, so you would express the regex plainly.

View solution in original post

Splunk Employee
Splunk Employee

Yes. It's not so much the web interface, as that the Splunk search commands in which you might use a regex (rex eval) take quoted string as arguments. These arguments include the regex itself. In order to express a quote inside the quoted string, you must escape it with a backslash, and in order to express a backslash, you must also escape it with a backslash.

There isn't a way (that I know) to express the regex using a "raw" string, where you don't have to quote those characters.

Note that when you provide a regex to Splunk outside of the search commands (e.g., in the transforms.conf configuration files), you don't have to deal with those string quoting rules, so you would express the regex plainly.

View solution in original post

Explorer

Thank you!

0 Karma