Skip to content

Log Insight Event Forwarding: Filters Containing Backslashes

I have covered Log Insight event forwarding in the past, but wanted to discuss a potential gotcha when leveraging filters that contain the backslash character. Read on to learn more!


As you know, Log Insight supports sending events over cfapi and syslog with as well as without filters. Some of the filter operators are a little different than what you get on Interactive Analytics because event forwarding happens before the ingestion pipeline so keyword indices are not available. One additional nuance this introduces is around escaped characters. It turns out, one character needs to be escaped when using event forwarding filters. Any idea which one it is? Yup, backslash.
So, if you want to have a filter like:

then you actually need to write:

Now you know!

© 2017, Steve Flanders. All rights reserved.

Published inVMware

Be First to Comment

    Leave a Reply

    Your email address will not be published. Required fields are marked *