Query for Unicode Character in process.name

Hi there,

I am trying to query for a right-to-left override (RTLO) character (U+202E) within a process name.

My query in Dev Tools in Kibana is this:

GET /[index_name]/_eql/search
  "query": """
    process where process.name like "*Up\u{200f}date.exe"

I use the unicode syntax based on what I had found from a section in the documentation.

This is the error that I received:

  "error" : {
    "root_cause" : [
        "type" : "parsing_exception",
        "reason" : "line 2:37: token recognition error at: '\"*Up\\u'"
    "type" : "parsing_exception",
    "reason" : "line 2:37: token recognition error at: '\"*Up\\u'",
    "caused_by" : {
      "type" : "lexer_no_viable_alt_exception",
      "reason" : null
  "status" : 400

Leaving a white-space where my query is process where process.name like "*Up \u{200f} date.exe", leads to the same error.

I have tried changing the query to process where process.name like "*Up\\u{200f}date.exe", which adds an extra backslash. While the query executes successfully, no results are returned.

This is how the process name looks like in Kibana:

As can be seen from my cursor highlight, the RTLO character is inserted after Up.

Thank you for your time!

Note-to-self: I should change like to ==.
Note-to-self-2: Found an old post about replacing unicode characters, but it is for Logstash.

You need to escape this twice. So first time you do the escape for the eql unicode character and the you do a JSON escape on top of those characters.

Thanks a lot for replying to this - I just found out that my original findings were most likely due to the page (that I referenced in my original post) being "preliminary documentation for a future release".

When visiting the documentation for the current, latest release, I do not see the section about escaping unicode characters at all.

In the event that the current documentation is inaccurate, I would still like to try out your suggestion of the double-escaping in the meantime. Just to confirm that I interpreted what you said correctly, would this turn out to be Up\\u\{200f\}date.exe?

Thank you!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.