Skip to content

Special Character Escape Query

Explorer

In the Explorer, some characters have special meanings, for example, spaces are used to separate multiple words. If the search content includes the following characters, special handling is required: space, :, ", , \, (, ), [, ], {, }, !.

Since the query syntax used for searching and filtering differs, the handling of special characters also varies.

Filtering

Supports various operators, including =, !=, wildcard, etc.

Since the backslash \ has a special meaning in wildcard syntax, it needs to be escaped:

  • If the search text contains \, add another backslash \ before it for escape querying;
  • When using other operators (such as =, !=, etc.) for filtering, no escape processing is needed.

Searching

Use the query_string() query syntax.

In the query_string syntax, the backslash \ and double quotes " have special meanings and need to be escaped:

  • \: Add three backslashes \ before it for escaping;
  • ": Add one backslash \ before it for escaping.

Conversion Methods

Method One: Convert Text into a Phrase

Add double quotes " on both sides of the text to convert it into a phrase. In this case, the content within double quotes will be matched as a whole, and wildcards will be disabled.

If the text contains \ or " this method cannot perform searches; please use "Method Two" for queries.

Example:

Search field name cmdline, field value nginx:worker process

  • Search
"nginx: worker process"   // Successful search, precise word match

"nginx * process"   // Failed search, because `*` inside double quotes is not treated as a wildcard
  • Filter
cmdline:"nginx: worker process"   // Successful search, precise word match

cmdline:"nginx: worker*"  // Failed search, because `*` inside double quotes is not treated as a wildcard

Method Two: Escape Characters

Add a backslash \ before special characters to escape them. If the search text itself contains \, the handling for search and filter differs:

  • Search: Add three backslashes \ before the character for escaping;
  • Filter: Add only one backslash \.

Example:

Search field name cmdline, field value E:\software_installer\vm\vmware-authd.exe

  • Search
E\:\\\\software_installer\\\\vm\\\\vmware-authd.exe     // Successful search, precise word match

E\:\\\\software_installer*exe     // Successful search, wildcard fuzzy match
  • Filter
cmdline:E\:\\software_installer\\vm\\vmware-authd.exe    // Successful search, precise word match

cmdline:E\:\\software_installer*exe    // Successful search, wildcard fuzzy match

Other Scenarios

When using DQL to query data, some special characters need to be processed, involving functionalities such as: chart queries, query tools, Metrics analysis, monitors, etc.

Feedback

Is this page helpful? ×