You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
process.command_line:("*cn\/half\ \-\-cpu\-priority*" OR "*\-\-cpu\-priority\ 1*")
My expectation would be to not have those quotation marks. It should look like:
process.command_line:(*cn\/half\ \-\-cpu\-priority* OR *\-\-cpu\-priority\ 1*)
I tested both versions inside my local Elasticsearch instance and the one with quotation mark didn't show any results. This is due to the nature of Lucene query language, which interprets the quotation marks as normal character. This behavior is also mentioned inside their documentation.
Environment
Elasticsearch Version: 8
pySigma-backend-elasticsearch Version: 1.0.9
Python Version: 3.10
Possible Fix
When I change the variable str_quote: ClassVar[str] = '"' to str_quote: ClassVar[str] = '' then it works. But not sure if it breaks other things.
The text was updated successfully, but these errors were encountered:
* When I change the variable ` str_quote: ClassVar[str] = '"'` to ` str_quote: ClassVar[str] = ''` then it works. But not sure if it breaks other things.
I can confirm this would break at least one thing. Specifically, matching against the empty string would result in a malformed Lucene query. (field:)
Please check out PR #43 for a different solution that mitigates this problem.
Lucene Rule Generation Quotation Mark Issue
When a selection item contains a blank space, the Lucene rule will be
surrounded by quotation marks, which seems like an invalid syntax.
Description
I tried converting this rule by using the command below:
The generated rule looked like this:
My expectation would be to not have those quotation marks. It should look like:
I tested both versions inside my local Elasticsearch instance and the one with quotation mark didn't show any results. This is due to the nature of Lucene query language, which interprets the quotation marks as normal character. This behavior is also mentioned inside their documentation.
Environment
Possible Fix
str_quote: ClassVar[str] = '"'
tostr_quote: ClassVar[str] = ''
then it works. But not sure if it breaks other things.The text was updated successfully, but these errors were encountered: