I'm encountering something that seemed non-intuitive to me in my Search app through the web interface. I'm trying to discern if this is normal behaviour and I just need to adapt, or if I'm bumping into some sort of bug or configuration issue. I'd appreciate if someone would tell me, "Yes, that's how it's supposed to work for everyone" or "No, my Splunk instance behaves differently".
I've used regular expressions for years and am not seeking help understanding how to form or interpret a regular expression. I'm seeking, instead, to understand whether Splunk is escaping the characters of my string input to extract a regular expression prior to interpreting it.
When I use a tool like Regex Buddy, I expect the following definitions from a regular expression:
. matches any character
\. matches a literal period character
\t matches a TAB character
\\ matches a BACKSLASH character
Let's say I use that list as my data set: four events, some with periods and some with backslashes.
If I want every line with a period, I would use the expression: " \. "
If I want every line with a backslash, I would use the expression: " \\ "
If I wanted to match on the two-character sequence, {backslash}{t}, above, what should that look like in Splunk's web search? For me, it's: " \\\\t ".
Should I be keying in the expression itself, or should I be keying in the string that, after escaping, will make the expression I want interpreted?
... View more