The following example
| makeresults
| eval FilePath="\\Temp.exe"
| where match(FilePath, "(?i)\\Temp\.exe$")
Creates a field FilePath with the value \Temp.exe
So, to match that, I am escaping the single slash with 2 slashes in the match statement, but that gives the error
Error in 'where' command: Regex: unrecognized character follows \
If I use \\s then the search does not fail with an error, presumably because \s is a valid character class expression, whereas \T is not.
So, based on the description of the eval/replace function
if I double escape the \, so use
| makeresults
| eval FilePath="\\Temp.exe"
| where match(FilePath, "(?i)\\\\Temp\.exe$")
then it works, so I was looking to clarify that this is due to the same double escaping requirement ONLY for the \ character and if so, is this a general that PCRE expressions inside eval statements, that have \, will always need the 4* instance of the \