Closed landoncrabtree closed 1 year ago
This is not a parsing error, though it may be a behavior of the contains operator or simply that the string is not an exact match.
It might be that the text 'wmic process get /format:list' has special characters, and your filters don't. You can try to check the binary byte-representation of the text using toutf8() function, and then looking on the output.
Sent from phone
From: Landon @.> Sent: Friday, May 27, 2022 4:39:36 PM To: microsoft/Kusto-Query-Language @.> Cc: Subscribed @.***> Subject: [microsoft/Kusto-Query-Language] Weird parsing error (Issue #76)
I'm not sure if this is a bug on KQL's side, or my side, but I decided to report it because I can't get it to work and it's providing unexpected behavior.
DeviceProcessEvents | where DeviceName contains "xxx" | where AccountName contains "xxx" | where ProcessCommandLine contains "tasklist" or ProcessCommandLine contains 'wmic' | project AccountUpn, DeviceName, ProcessCommandLine
Note the output for ProcessCommandLine. Interestingly enough, changing the query to the following:
DeviceProcessEvents | where DeviceName contains "xxx" | where AccountName contains "xxx" | where ProcessCommandLine contains "tasklist" or ProcessCommandLine contains 'wmic process get /format:list' | project AccountUpn, DeviceName, ProcessCommandLine
I'm not sure why this is? Is there something wrong with my syntax, or is this something that needs to be looked at? I've tried using has, contains, ==, and nothing seems to resolve it.
Thank you in advance!
— Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmicrosoft%2FKusto-Query-Language%2Fissues%2F76&data=05%7C01%7CAlexander.Sloutsky%40microsoft.com%7C5b2e38b157ab44e7c42e08da3fe6571a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637892555818723699%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=4hDvOmm0QRY0y1%2FFjlOS0GgJX8%2B2GSn%2B3DzA0Ou%2FZF4%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAEH2NB4DYTF3OLKKJ2DSU63VMDGBRANCNFSM5XEIHCHQ&data=05%7C01%7CAlexander.Sloutsky%40microsoft.com%7C5b2e38b157ab44e7c42e08da3fe6571a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637892555818723699%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UEsqQK6w3NUlo0qq9bW8MM%2FzVk9lgHsj9OCMmEq7Xsw%3D&reserved=0. You are receiving this because you are subscribed to this thread.Message ID: @.***>
I'm not sure if this is a bug on KQL's side, or my side, but I decided to report it because I can't get it to work and it's providing unexpected behavior.
Produces the following output:
Note the output for
ProcessCommandLine
. Interestingly enough, changing the query to the following:Produces the following:
I'm not sure why this is? Is there something wrong with my syntax, or is this something that needs to be looked at? I've tried using has, contains, ==, and nothing seems to resolve it.
Thank you in advance!