Re: DBConnect indexing field with backslash charac...

mcomfurf · ‎12-31-2015

I'm indexing a field with DBConnect that contains the backslash character, eg \, in order to escape quotation marks and hyphens within the data. This has a side effect of breaking the field extraction after the first \ character. Has anyone encountered this problem, and if so, how do you work around it?

mcomfurf · ‎01-04-2016

I had trouble getting the sed approach to work, though I can see how that might bear fruit if I took more time to wrestle with it. I wound up creating a new field extraction and that solved the problem.

jkat54 · ‎01-06-2016

Did you use double backslash in your "new field extraction"? If so, please accept my answer. If you used another pattern, please post it here and mark it as the answer.

mcomfurf · ‎01-06-2016

I did not; I was able to use a simple regex based on the field's position: ^(?:[^=\n]*=){5}(?P.+)

jkat54 · ‎01-01-2016

Have you tried a double backslash instead?

Maybe use rex or sedcmd to remove the backslash from the _raw field?

... | rex mode=sed field=_raw "s/\\//g"| ...

DBConnect indexing field with backslash character

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio