The API query parsing is producing various unexpected results.
Example 1:
{ "verb":"query", "query":"process.file.name:xvi32.exe", "fields":["process.file.name","type_id"]} returns 49 results, including xvi32.exe but also rundll32.exe and various other .exe files.
{ "verb":"query", "query":"process.file.name:xvi32", "fields":["process.file.name","type_id"]} returns the expected 2 results where xvi32.exe is the process.file.name
Example 2:
{ "verb":"query", "query":"event_actor.cmd_line:\"C:\\windows\\system32\\cmd.exe\"", "fields":["event_actor.cmd_line"]} returns 25,688 results, including process events where the event_actor.cmd:line was reported as C: Windows system32 services.exe
{ "verb":"query", "query":"event_actor.file.name:cmd.exe", "fields":["event_actor.cmd_line","event_actor.file.name"]} returns 18 results,, and in each of those results you can see the event_actor.cmd_line value starts with "C: windows system32 cmd.exe"
A UI search on the same appliance for event_actor.file.name:cmd.exe returns 101 events.