Using a literal pipe "|" character in an extracted...

jbrenner · ‎06-14-2018

I'm creating an extracted field using a regex, and I want to use a literal pipe "|" character in the regex.
My understanding is to use a backspace as an escape character as follows:

\|

When I save the regex and return to it, however, the backslash has been removed.
What am I doing wrong?

Thanks,
Jonathan

jbrenner · ‎06-14-2018

Hi,

I don't know what I was doing wrong, but after trying some different things, it stopped stripping out the escape characters.
I think I must have doing something wrong in the UI.
To answer your question, though, I was selecting the dropdown that says "Event Actions" and selecting "Extract Fields"

Thanks for responding,
Jonathan

somesoni2 · ‎06-14-2018

Glad your issue is resolved. If there are no other followup (related) questions, they you can close this question by accepting this as an answer.

jbrenner · ‎06-14-2018

Sorry. meant to say "backslash," not "backspace" 🙂

somesoni2 · ‎06-14-2018

What's the full regex that you're using? How are you saving it, using IFX (interactive field extraction wizard) OR directory through settings?

Using a literal pipe "|" character in an extracted regex field

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?