Regular Expressions
In Search Anywhere Framework Language (SAFL), regular expressions are used with the rex command. Regular expressions can be used with functions such as match and replace.
For more information, see rex.
Backslash character in regular expressions
In regular expressions, the backslash character (\) is used to escape special characters such as the period (.), double quotes ("), and backslash. For example, the period (.) in a regular expression typically means any character except for line breaks. To find exactly the point, you need to escape it with a backslash, writing it as \. in your expression.
When searching using a regular expression with a double backslash, such as the file path c:\\Users, the search will interpret the first backslash as an escape character and the file path will be C:\Users. To correctly specify the path, you must escape both backslashes at the root of the path by specifying 4 consecutive backslashes - C:\\\\Users.
For example C:\\Users\Docs, you can specify C:\\\\Users\\Docs in the search bar.
The SAF framework parses text twice: once for SAFL and then again for regular expressions. Therefore, the use of escape slashes is required. Each parser applies its own logic for using backslashes, defining them as special characters that require an additional backslash. As a result, in SAFL, \\ is converted to \, and \\\\ is converted to \\.
How to avoid excessive escaping of backslash characters
To avoid excessive escaping of backslash characters (\) in SAFL regular expressions, you can use the hexadecimal code \x5c. This code is equivalent to the backslash character and bypasses the need for double escaping.
In the example, the search looks for the directory name that follows two backslashes:
| makeresults
| eval file_path="C:\\Users"
| rex field=file_path max_match=3 ".*\\\\(?<root_directory>.*)"
Search result:
| @timestamp | file_path | root_directory |
|---|---|---|
| 2024-04-05T05:43:04.919Z | C:\\Users | Users |
Instead of using four backslashes (\\\\), you can achieve the same search result in a regular expression by using \x5c.
| makeresults
| eval file_path="C:\\Users"
| rex field=file_path max_match=3 ".*\x5с(?<root_directory>.*)"