Query for Unicode Character in process.name

inf · April 15, 2021, 4:30am

Hi there,

I am trying to query for a right-to-left override (RTLO) character (U+202E) within a process name.

My query in Dev Tools in Kibana is this:

GET /[index_name]/_eql/search
{
  "query": """
    process where process.name like "*Up\u{200f}date.exe"
  """
}

I use the unicode syntax based on what I had found from a section in the documentation.

This is the error that I received:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "parsing_exception",
        "reason" : "line 2:37: token recognition error at: '\"*Up\\u'"
      }
    ],
    "type" : "parsing_exception",
    "reason" : "line 2:37: token recognition error at: '\"*Up\\u'",
    "caused_by" : {
      "type" : "lexer_no_viable_alt_exception",
      "reason" : null
    }
  },
  "status" : 400
}

Leaving a white-space where my query is process where process.name like "*Up \u{200f} date.exe", leads to the same error.

I have tried changing the query to process where process.name like "*Up\\u{200f}date.exe", which adds an extra backslash. While the query executes successfully, no results are returned.

This is how the process name looks like in Kibana:

As can be seen from my cursor highlight, the RTLO character is inserted after Up.

Thank you for your time!

Note-to-self: I should change like to ==.
Note-to-self-2: Found an old post about replacing unicode characters, but it is for Logstash.

Marius_Dragomir · April 22, 2021, 1:34pm

You need to escape this twice. So first time you do the escape for the eql unicode character and the you do a JSON escape on top of those characters.

inf · April 23, 2021, 2:49am

Thanks a lot for replying to this - I just found out that my original findings were most likely due to the page (that I referenced in my original post) being "preliminary documentation for a future release".

When visiting the documentation for the current, latest release, I do not see the section about escaping unicode characters at all.

In the event that the current documentation is inaccurate, I would still like to try out your suggestion of the double-escaping in the meantime. Just to confirm that I interpreted what you said correctly, would this turn out to be Up\\u\{200f\}date.exe?

Thank you!

system · May 21, 2021, 2:49am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to search file path field value in Kibana? Kibana kql-kibana-query-language	1	1001	March 15, 2023
Search error and escaping characters Kibana	2	195	November 10, 2023
Dev Tools search with a "/" works, but in a query doesn't Kibana	4	301	January 17, 2019
Problem with SQL query when using RLIKE or LIKE function Kibana elastic-stack-sql	6	1157	June 29, 2021
SQL execution for filed with dot notation Kibana	4	376	November 21, 2019

Query for Unicode Character in process.name

Related topics