Is there a way to search for events using the equal sign in the Symantec EDR database?
Article ID: 236040
Updated On:
Products
Issue/Introduction
You have events that contain the equal sign '=' that you need to find in the Symantec EDR database.
You are unable to identify the specific event because the search does not recognize the equal sign by itself.
For example:
You are attempting to find events with a search term like "start="
Environment
Issue found in 4.6.8
This affects all platform types, physical or virtual.
Cause
The equal sign '=' is not considered a meaningful word in the search query and therefore it is seen as a boundary of a word instead of an individual word.
If the equal sign was considered a word on its own the search could generate more noise on the search index and could reduce the accuracy of the search.
Resolution
The usage of the equal sign as a search term by itself is not currently supported. The character will be considered a part of the existing word it is being used with and it will not be considered independently.
Additional Information
The EDR appliance supports lucene queries. Please refer to the SEDR documentation for Search query syntax for your version of EDR for more information on building a query for EDR.
What are considered special characters in a lucene query? See Escaping Special Characters in the lucene section of apache.org. URL: https://lucene.apache.org/core/2_9_4/queryparsersyntax.html and search for "escaping special characters" on this page. The information on escaping special characters is also covered in guides written for elasticsearch which also applies for SEDR environments.
Example:
Feedback
