Use regex in queries

Views:

Create queries to match specified patterns in detections and telemetry data with regular expressions (regex).

Use regular expressions (regex) to query logs using flexible patterns instead of exact text. A regex pattern combines characters and symbols to match a range of log entries in a single query.

In a field-value pair, surround the value with forward slashes (/). Add a space before and after forward slashes to avoid syntax errors:

endpointHostName: /^(W|m)/

Important

Regex can only be used for querying string data type fields.
You can use up to five regex per query.
Use full match to query file paths. Using partial match for file paths generates errors. For more information, see Query syntax.

Example query	Result	Description
/^(this is a regex)/	Error	Use field-value pairs to avoid syntax errors.
filePath: /etc/pwd/config/aaa	Error	Use a backslash (\) to escape each forward slash (/) to avoid syntax errors. filePath: /\/etc\/pwd\/config\/aaa/ Additionally, you can also use quotation marks and wildcards to avoid syntax errors. The following example is not regex. filePath: "/etc/pwd/config/aaa"
endpointHostName: /^(W\|m)/	Returns results	This query has the correct syntax.
filePath: /\/etc\/pwd\/config\/aaa/	Returns results	This query has the correct syntax.

Comments (0)