Create queries that match specified patterns with regular expressions (regex).
XDR Data Explorer allows up to five regex per query. To use regex, surround the pattern
you want to query with forward slashes (/):
endpointHostName: /^(W|m)/
-
XDR Data Explorer supports regex only for the string data type.
-
Use full match to search a file path. Using partial match for file path search generates errors.
-
Add a space before and after forward slashes to avoid syntax errors.
Syntax examples
|
Query
|
Result
|
Explanation
|
/^(this is a regex)/ |
Error
|
Regex queries must include the field name. Free queries are not supported.
|
endpointHostName: /^(W|m)/ |
Returns results
|
The query has the correct syntax.
|
filePath: /etc/pwd/config/aaa |
Error
|
Use a backslash (\) to escape each forward slash to avoid syntax errors.
filePath: /\/etc\/pwd\/config\/aaa/ Use quotation marks and wildcards to avoid syntax errors.
filePath: "*/etc/pwd/config/aaa*" This example is not regex.
|
filePath: /\/etc\/pwd\/config\/aaa/ |
Returns results |
The query has backslashes (\) to escape forward slashes.
|