Hi Splunk experts,

I believe I found a bug in Splunk search.

Some fields in my events contain file paths with relative parts denoted by "../".

When I use Splunk search to list events with a specific path, the SPL is automatically rewritten and the "../" in the middle of the path is removed (thereby changing my search) resulting in no matching events found.

I cannot get Splunk search to filter by the literal string value I specify, even though it is surrounded by double quotes.

Example SPL:
file_name="C:\Smallworld\41\product\..\cambridge_db\ds\ds_admin/../ds_demo/rwo.ds"

Is automatically rewritten to:
file_name="C:\Smallworld\41\product\..\cambridge_db\ds\ds_admin/ds_demo/rwo.ds"

Some facts:

- This behavior started after I upgraded to Splunk 8.2.0 and cannot be reproduced on 7.3.2.

- If I build the SPL within my dashboard (using tokens) then this automatic rewrite does not happen, hence the events are found. But as soon as I jump to Splunk search from the dashboard (through the looking glass symbol) the SPL gets rewritten and the  "../" removed.

- This automatic rewrite also happens if I let Splunk search itself compose the SPL: first view all events in Splunk search, and then filter on a file_name value through the field list on the left. The result is that no events are shown, as the resulting SPL is incorrect (see screenshots).

Screenshots of the problem:

- screenshot 1: events are shown in Splunk search, the field list on the left shows the occurring values for the file_name field. Now I click on a value to search for that specific file_name (note the ../ underlined in red)

- screenshot 2: Splunk search amends the file_name filter to the SPL, but it modifies the field value to omit the ../ part (again underlined in red)

Has anyone else encountered this problem, and/or has a remedy?

Thank you in advance,

Coen