Splunk Search

DBConnect indexing field with backslash character

mcomfurf
Path Finder

I'm indexing a field with DBConnect that contains the backslash character, eg \, in order to escape quotation marks and hyphens within the data. This has a side effect of breaking the field extraction after the first \ character. Has anyone encountered this problem, and if so, how do you work around it?

0 Karma

mcomfurf
Path Finder

I had trouble getting the sed approach to work, though I can see how that might bear fruit if I took more time to wrestle with it. I wound up creating a new field extraction and that solved the problem.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Did you use double backslash in your "new field extraction"? If so, please accept my answer. If you used another pattern, please post it here and mark it as the answer.

0 Karma

mcomfurf
Path Finder

I did not; I was able to use a simple regex based on the field's position: ^(?:[^=\n]*=){5}(?P.+)

0 Karma

jkat54
SplunkTrust
SplunkTrust

Have you tried a double backslash instead?

Maybe use rex or sedcmd to remove the backslash from the _raw field?

... | rex mode=sed field=_raw "s/\\//g"| ...

0 Karma
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...