Skip to content

[Bug] KQL does not properly escape leading forward slash #441

New issue
New issue
Open
Open
[Bug] KQL does not properly escape leading forward slash#441
Labels
backlogbugSomething isn't workingkqlrelated to the kql modulepythonInternal python for the repository
@brokensound77

Description

@brokensound77
brokensound77
opened on Oct 30, 2020

Describe the bug
Unquoted leading / must be escaped in KQL, since this is used for regex syntax with lucene

This

process.args:/lockscreenurl\:http*

should become

`"\\/lockscreenurl\\:http*"`

to mimic expected DSL conversion

but instead it is converted to

`"/lockscreenurl\\:http*"`

To Reproduce
Steps to reproduce the behavior:

  1. search process.args:/lockscreenurl\:http* in kibana
  2. this is converted to: "\\/lockscreenurl\\:http*"
  3. run kql.to_dsl("process.args:/lockscreenurl\:http*")
    4 compare diffs

Metadata

Metadata

Assignees

No one assigned

    Labels

    backlogbugSomething isn't workingkqlrelated to the kql modulepythonInternal python for the repository

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions