Double backslash in a field value becomes single b...

helge · ‎09-14-2016

One of our fields stores the name of a Windows UNC path, e.g.:

\\server\share

(two backslashes followed by server name followed by one backslash and a share name)

That seems to be indexed just fine. In our accelerated data model, where the same field is defined as string field, the double backslashes become a single backslash, i.e. above path would look like this:

\server\share

(one backslash followed by server name followed by one backslash and a share name)

Is there any way to retain the original field data with two backslashes?

Another strange thing I noticed is that when searching for a UNC path in the regular index (not in the data model), the single backslash needs to be escaped by a second backslash or no results are returned. Example:

sourcetype=*smb* SharePath="\\192.168.8.5\\c$"

gcusello · ‎09-15-2016

Did you tried to use three backslashes for the first one and only one for the second?

sourcetype=*smb SharePath="\\192.168.8.5\c$"*

I tried and runs.

Bye.

Giuseppe

helge · ‎09-16-2016

Yes, I tried that and do not get any results. When searching the regular index only the variant I posted in the question returns results.
BTW this answer does not touch on my main question (marked in bold).

Double backslash in a field value becomes single backslash in accelerated data model. How to retain the original field data with two backslashes?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms