Splunk Search

Regex: Error using where/match and backslash character

abowesman
Explorer

The following example

 

| makeresults
| eval FilePath="\\Temp.exe"
| where match(FilePath, "(?i)\\Temp\.exe$")

 

Creates a field FilePath with the value \Temp.exe

So, to match that, I am escaping the single slash with 2 slashes in the match statement, but that gives the error

Error in 'where' command: Regex: unrecognized character follows \

If I use \\s then the search does not fail with an error, presumably because \s is a valid character class expression, whereas \T is not.

So, based on the description of the eval/replace function

https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/TextFunctions#replace.28X.2CY.2CZ...

if I double escape the \, so use

 

| makeresults
| eval FilePath="\\Temp.exe"
| where match(FilePath, "(?i)\\\\Temp\.exe$")

 

then it works, so I was looking to clarify that this is due to the same double escaping requirement ONLY for the \ character and if so, is this a general that PCRE expressions inside eval statements, that have \, will always need the 4* instance of the \

 

Labels (2)
0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!