Hi,
I have a log with this type of content: domain\\user
. I have extracted this info with field extraction called src_user
.
When I do a search with src_user=* | table src_user
, the response shows domain\user
instead of domain\\user
. One of the \
characters is stripped.
Then when I am doing a searchFieldsToDisplay
to get src_user
value I get domain\user
and I can not set a new search with this searchField value.
Does anyone know how to solve this?
Regards
trying to see your regular expression because you must be missing something, and is the problem that must come. and also check if you have not escape "\" s inside.
without your expression regular and an example of data I do not guess more.
If it is exactly as you have described, it has to be a bug and I would open a Support Case with Splunk right away.