Skip to content

Special Character Escaping Queries

Explorer

In the Explorer, some characters have special meanings, such as space used to separate multiple words. If the search content contains the following characters, special handling is required: space, :, ", , \, (, ), [, ], {, }, !.

Since the query syntax used for search and filtering is different, the handling of special characters also varies.

Filtering

Multiple operators are supported, including =, !=, wildcard, etc.

Because the backslash \ has a special meaning in the wildcard syntax, it needs to be escaped:

  • If the search text contains \, you need to add another backslash \ in front of it for escaping.
  • When using other operators (such as =, !=, etc.) for filtering, no escaping is required.

Uses the query_string() query syntax.

In the query_string syntax, the backslash \ and double quote " have special meanings and need to be escaped:

  • \: You need to add three more backslashes \ in front of it for escaping.
  • ": You need to add one more backslash \ in front of it for escaping.

Conversion Methods

Method 1: Turn text into a phrase

Adding double quotes " on both sides of the text turns it into a phrase. In this case, the content inside the double quotes will be matched as a whole, and wildcards will become invalid.

If the text contains \ or ", this method will not work for retrieval. Please use "Method 2" for querying.

Example:

Search for field name cmdline, field value nginx:worker process

  • Search
"nginx: worker process"   //Search successful, exact word match

"nginx * process"   //Search failed, because * inside double quotes is not treated as a wildcard
  • Filtering
cmdline:"nginx: worker process"   //Search successful, exact word match

cmdline:"nginx: worker*"  //Search failed, because * inside double quotes is not treated as a wildcard

Method 2: Escape characters

Add a backslash \ in front of special characters to escape them. If the text being searched itself contains \, the handling differs for search and filtering:

  • Search: You need to add three more backslashes \ in front of the character for escaping.
  • Filtering: You only need to add one backslash \.

Example:

Search for field name cmdline, field value E:\software_installer\vm\vmware-authd.exe

  • Search
E\:\\\\software_installer\\\\vm\\\\vmware-authd.exe     //Search successful, exact word match

E\:\\\\software_installer*exe     //Search successful, wildcard fuzzy match
  • Filtering
cmdline:E\:\\software_installer\\vm\\vmware-authd.exe    //Search successful, exact word match

cmdline:E\:\\software_installer*exe    //Search successful, wildcard fuzzy match

Other Scenarios

When using DQL to query data, special characters need to be handled. This involves features including: chart queries, query tools, metric analysis, monitors, etc.

Feedback

Is this page helpful? ×