There are many places within the product where escape characters are required. The following guid will demonstrate where escaping is required.
| Type | Applies to |
| Filter Value Escaping |
PoweQuery Filters, Free text search filters (contains, =, !=, >=<)
|
| Character | Escape | Example |
| " | \" |
message contains "\"key\":\"value\"" OR "\"key\":\"value\""
|
| \ | \\ |
path = "C:\\Program Files\\wireshark\\log\\log.txt"
|
| / | \/ or / |
logfile = "/var/log/access.log" OR logfile = "\/var\/log\/access.log"
|
| Type | Applies to |
| Key Escaping |
PoweQuery Filters, Free text search filters (contains, =, !=, >=<)
|
| Character | Escape | Example |
| key-1 | key\-1 | server\-1 = "foo" |
| key.1 | key.1 |
key.1="foo"
|
| Type | Applies to |
| Regex Escaping | Agent Configuration (redaction/sampling), Parsing, PowerQuery Expressions, PowerQuery Parsing, Power Query Filtering, Preprocessing |
| Character | Escape | Example | Example Type |
| \d | \\d | | parse "$server$-\\d+" from serverHost |
Powerquery parse command
|
| \w | \\w | serverHost matches "\\w+-server-\\d+" |
Search Match Command
|
| \. | \\. | | filter ip matches "192\\.168\\.0\\.1" |
Powerquery filter command
|
| \W | \\W | ip matches "192\\.168\\.0\\.1\\W80" |
Search Match Command
|
| \[ or \] | \\[ | message matches "\\[\"key\":\"value\"\\]" |
Search Match Command
|
| \{ or \} | \\{ | |let isJson = message matches "^\\{.*\\}" ? "true" : "false" |
PowerQuery expression
|
| \( or \) | \\( | thread matches "\\([^\\)]\\)" |
Search Match Command
|
| \+ | \\+ | math matches "1\\+1\\=2" |
Search Match Command
|
| \= |
\\= |
math matches "1\\+1\\=2" |
Search Match Command
|
| $ | $$ | properties.user matches "app-server-1$$" |
Search Match Command
|
| \? | \\? | message matches "how are you( doing)?\\?" |
Search Match Command
|
| \* | \\* | message matches "t\\*.*" |
Search Match Command
|
| \n | \\\\n | stackTrace matches "stack trace\\\\n" |
Search Match Command
|
| \t | \\\\t | stackTrace matches "stack trace\\\\n\\\\tat\\\\n\\\\tat" |
Search Match Command
|
| \s | \\s | message matches "hello\\sworld" |
Search Match Command
|
| \D | \\D | serverHost matches "app-\\D+-\\d+" |
Search Match Command
|
| " | \" | match_expression: "password: \".*\"," |
Agent Redaction Rule
|
Note shorthand match expression ($"regex") does not require double escaping so refer to the "character" column for short-hand regex in search. example $"192\.168\.1\.1" instead of message matches "192\\.168\\.1\\.1"
Comments
0 comments
Please sign in to leave a comment.