Common mistake while performing IDR Log Search Queries

InsightIDR Log Search
1

Just posting this for visibility…when performing queries in IDR Log Search, if you are searching for a string or value that includes a space, you NEED to wrap that value or string in either quotation marks or regex. A typical space is read by Log Search as an AND operator:

Let’s use the following example query:
where(process.exe_file.description=PostgreSQL Server)

Without proper quotes:
image

If we take a look at the above, we can see no logs were returned, that is because, without the quotes, IDR is looking for logs where the key name, process.exe_file.description, has a value of PostgreSQL, and then it’s also looking for the value Server.

With proper quotes:
image

If we take a look at the above, we can see logs are returned because the quotes around the value PostgreSQL Server are making IDR view it as a single value.

2 Likes
2

Few more tech details:

  1. You can use single quotes when your string contains double quotes:
    where(key = 'va"l"ue')

  2. You can have single quotes within the doubly quoted strings:
    where(key = "va'l'ue")

  3. If your string contains both single or double quotes or any other symbol, you can use triple quotes, single or double ones:
    where(key1 = '''va ' " lue''' OR key2 = """qu '' "" '' otes""")

https://docs.rapid7.com/insightidr/use-a-search-language#quotes

1 Like
3

Thank you for the added info @alexey_shulga! Just a side question for our readers, for encasing values in quotes, is there a preference or difference between using single quotes or double quotes:

where(key='value1') vs. where(key="value")