@Jerry‘s response is interesting – I would do something similar:
index="association" sourcetype="escaplogs"
| rex field=data.val max_match=0 "(?<slashes>\/)"
| where isnotnull(slashes) AND mvcount(slashes)<2
<rest of search>
This is going to find everything that a) has at least one slash (isnotnull(slashes)) in the field data.val, and b) throwout everything with more than 1 (mvcount(slashes)<2)
from User warren – Stack Overflow https://stackoverflow.com/questions/76996036/splunk-regex-filter-events-only-one-occurrence-of-special-character/77000918#77000918
via IFTTT