There are many places within the product where escape characters are required. The following guid will demonstrate where escaping is required.
Type | Applies to |
Filter Value Escaping |
PoweQuery Filters, Free text search filters (contains, =, !=, >=<)
|
Character | Escape | Example |
" | \" |
message contains "\"key\":\"value\"" OR "\"key\":\"value\""
|
\ | \\ |
path = "C:\\Program Files\\wireshark\\log\\log.txt"
|
/ | \/ or / |
logfile = "/var/log/access.log" OR logfile = "\/var\/log\/access.log"
|
Type | Applies to |
Key Escaping |
PoweQuery Filters, Free text search filters (contains, =, !=, >=<)
|
Character | Escape | Example |
key-1 | key\-1 | server\-1 = "foo" |
key.1 | key.1 |
key.1="foo"
|
Type | Applies to |
Regex Escaping | Agent Configuration (redaction/sampling), Parsing, PowerQuery Expressions, PowerQuery Parsing, Power Query Filtering, Preprocessing |
Character | Escape | Example | Example Type |
\d | \\d | | parse "$server$-\\d+" from serverHost |
Powerquery parse command
|
\w | \\w | serverHost matches "\\w+-server-\\d+" |
Search Match Command
|
\. | \\. | | filter ip matches "192\\.168\\.0\\.1" |
Powerquery filter command
|
\W | \\W | ip matches "192\\.168\\.0\\.1\\W80" |
Search Match Command
|
\[ or \] | \\[ | message matches "\\[\"key\":\"value\"\\]" |
Search Match Command
|
\{ or \} | \\{ | |let isJson = message matches "^\\{.*\\}" ? "true" : "false" |
PowerQuery expression
|
\( or \) | \\( | thread matches "\\([^\\)]\\)" |
Search Match Command
|
\+ | \\+ | math matches "1\\+1\\=2" |
Search Match Command
|
\= |
\\= |
math matches "1\\+1\\=2" |
Search Match Command
|
$ | $$ | properties.user matches "app-server-1$$" |
Search Match Command
|
\? | \\? | message matches "how are you( doing)?\\?" |
Search Match Command
|
\* | \\* | message matches "t\\*.*" |
Search Match Command
|
\n | \\\\n | stackTrace matches "stack trace\\\\n" |
Search Match Command
|
\t | \\\\t | stackTrace matches "stack trace\\\\n\\\\tat\\\\n\\\\tat" |
Search Match Command
|
\s | \\s | message matches "hello\\sworld" |
Search Match Command
|
\D | \\D | serverHost matches "app-\\D+-\\d+" |
Search Match Command
|
" | \" | match_expression: "password: \".*\"," |
Agent Redaction Rule
|
Note shorthand match expression ($"regex") does not require double escaping so refer to the "character" column for short-hand regex in search. example $"192\.168\.1\.1" instead of message matches "192\\.168\\.1\\.1"
Comments
0 comments
Please sign in to leave a comment.