Hi Splunk experts, I believe I found a bug in Splunk search. Some fields in my events contain file paths with relative parts denoted by "../". When I use Splunk search to list events with a specific path, the SPL is automatically rewritten and the "../" in the middle of the path is removed (thereby changing my search) resulting in no matching events found. I cannot get Splunk search to filter by the literal string value I specify, even though it is surrounded by double quotes. Example SPL: file_name="C:\Smallworld\41\product\..\cambridge_db\ds\ds_admin/../ds_demo/rwo.ds" Is automatically rewritten to: file_name="C:\Smallworld\41\product\..\cambridge_db\ds\ds_admin/ds_demo/rwo.ds"   Some facts: - This behavior started after I upgraded to Splunk 8.2.0 and cannot be reproduced on 7.3.2. - If I build the SPL within my dashboard (using tokens) then this automatic rewrite does not happen, hence the events are found. But as soon as I jump to Splunk search from the dashboard (through the looking glass symbol) the SPL gets rewritten and the  "../" removed. - This automatic rewrite also happens if I let Splunk search itself compose the SPL: first view all events in Splunk search, and then filter on a file_name value through the field list on the left. The result is that no events are shown, as the resulting SPL is incorrect (see screenshots).   Screenshots of the problem: - screenshot 1: events are shown in Splunk search, the field list on the left shows the occurring values for the file_name field. Now I click on a value to search for that specific file_name (note the ../ underlined in red) - screenshot 2: Splunk search amends the file_name filter to the SPL, but it modifies the field value to omit the ../ part (again underlined in red)   Has anyone else encountered this problem, and/or has a remedy?   Thank you in advance, Coen ... View more