I am breaking my head over this.
Sometimes our users login to our web application using username: "myuser" or "mydomain\myuser". It screws up the results for "stats", because myuser and mydomain\myuser are taken as two different users. I need to remove "mydomain\" string from the username. Here is what I am doing:
Search:
source="/var/log/iis" myserver.mydomain.com | eval username=lower(username) | eval username=replace(username,"mydomain\\\\","") | stats count by username | sort -count
gets broken with error message, because splunk thinks that I am escaping double quotes, instead of \ sign.
When I take "\" out of the statement:
source="/var/log/iis" myserver.mydomain.com | eval username=lower(username) | eval username=replace(username,"mydomain","") | stats count by username | sort -count
it returns:
\\myuser
myuser
How can I get rid of the damn backslash???? I am surprised that splunk matches from the right side instead of from the left. Statement "\\" should escape \ sign and not double quotes.
Same thing happens if I try to extract "myuser" from the username with rex:
rex field=_raw "^client\\\\(?<user>.*)"
It gets broken thinking that I am escaping the parenthesis.
Very strange and very frustrating.
It would be nice if Splunk developers included "chr(ascii-code)" command, when any character in the search string could be replaced with ASCII code at places, where the escaping nonsense happens.
... View more