Splunk Search

Regex: Error using where/match and backslash character


The following example


| makeresults
| eval FilePath="\\Temp.exe"
| where match(FilePath, "(?i)\\Temp\.exe$")


Creates a field FilePath with the value \Temp.exe

So, to match that, I am escaping the single slash with 2 slashes in the match statement, but that gives the error

Error in 'where' command: Regex: unrecognized character follows \

If I use \\s then the search does not fail with an error, presumably because \s is a valid character class expression, whereas \T is not.

So, based on the description of the eval/replace function


if I double escape the \, so use


| makeresults
| eval FilePath="\\Temp.exe"
| where match(FilePath, "(?i)\\\\Temp\.exe$")


then it works, so I was looking to clarify that this is due to the same double escaping requirement ONLY for the \ character and if so, is this a general that PCRE expressions inside eval statements, that have \, will always need the 4* instance of the \


Labels (2)
0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!