Skip to content

Special Character Escape Query

Explorer

In the Explorer, some characters have special meanings, for example, spaces are used to separate multiple words. If the search content contains the following characters, special processing is required: space, :, ", , \, (, ), [, ], {, }, !.

Since the query syntax used for searching and filtering differs, the handling of special characters also varies.

Filtering

Supports various operators, including =, !=, wildcard, etc.

Because the backslash \ has a special meaning in wildcard syntax, it needs to be escaped:

  • If the search text contains \, an additional backslash \ must be added in front of it for escape querying;
  • When using other operators (such as =, !=, etc.) for filtering, no escape processing is required.

Searching

Uses the query_string() query syntax.

In the query_string syntax, the backslash \ and double quotes " have special meanings, so they need to be escaped:

  • \: An additional three backslashes \ must be added in front of it for escaping;
  • ": An additional one backslash \ must be added in front of it for escaping.

Conversion Methods

Method One: Convert Text into a Phrase

By enclosing the text with double quotes " on both sides, the text can be converted into a phrase. In this case, the content within the double quotes will be matched as a whole, and wildcards will not work.

If the text contains \ or ", this method will fail to retrieve results; please use "Method Two" for querying.

Example:

Search field name cmdline, field value nginx:worker process

  • Search
"nginx: worker process"   // Successful retrieval, precise word match

"nginx * process"   // Failed retrieval, because * inside double quotes is not considered a wildcard
  • Filter
cmdline:"nginx: worker process"   // Successful retrieval, precise word match

cmdline:"nginx: worker*"  // Failed retrieval, because * inside double quotes is not considered a wildcard

Method Two: Escape Characters

Add a backslash \ in front of special characters to escape them. If the searched text itself contains \, the handling methods for searching and filtering differ:

  • Search: Three backslashes \ must be added in front of the character for escaping;
  • Filter: Only one backslash \ needs to be added.

Example:

Search field name cmdline, field value E:\software_installer\vm\vmware-authd.exe

  • Search
E\:\\\\software_installer\\\\vm\\\\vmware-authd.exe     // Successful retrieval, precise word match

E\:\\\\software_installer*exe     // Successful retrieval, wildcard fuzzy matching
  • Filter
cmdline:E\:\\software_installer\\vm\\vmware-authd.exe    // Successful retrieval, precise word match

cmdline:E\:\\software_installer*exe    // Successful retrieval, wildcard fuzzy matching

Other Scenarios

When using DQL to query data, some special characters need to be processed, involving features such as: chart queries, query tools, metrics analysis, monitors, etc.

Feedback

Is this page helpful? ×