Fix KQL wildcard literal failing to lex escaped specials with spaces#6383
Fix KQL wildcard literal failing to lex escaped specials with spaces#6383munzzyy wants to merge 1 commit into
Conversation
WILDCARD_LITERAL only treated a fixed set of raw characters as safe, so a wildcard value that mixed unquoted spaces with an escaped special char (e.g. an escaped colon: *\: no such file) couldn't be lexed at all and export-rules would error out instead of producing valid KQL. Extend the grammar so each "safe unit" in a wildcard also accepts the same backslash-escape pairs UNQUOTED_CHAR already understands, add a regression test, and confirm the existing kuery test suite (72 tests) still passes. Resolves elastic#6282
|
💚 CLA has been signed |
|
@munzzyy is this substantially different from my commit from 2 weeks ago? main...6282-dac-export-rules-fails-to-export-kql-rules-when-spaces-are-not-quoted Thanks! |
|
Structurally it's the same fix - each unit inside the spaced-wildcard patterns becomes "escape pair or plain non-special char" - but there are two real differences:
One thing 6282 has that this doesn't: the package version bumps - happy to add those here. And no attachment on my end - if you'd rather rebase your branch and land it that way, I'll close this. |
Pull Request
Issue link(s):
Resolves #6282
Summary - What I changed
export-rulesfails on a KQL rule when its query has a wildcard value that mixes unquoted spaces with an escaped special character, likeapp_message : *\: No such file or directory. Kibana accepts this query fine, but the KQL grammar here can't lex it, so export throws a syntax error and skips the rule (matches the screenshots in the issue).The cause is in
WILDCARD_LITERALinlib/kql/kql/kql.g. It has four patterns for wildcard values containing spaces, and each one only allows a fixed set of raw characters as "safe" - anything backslash-escaped (\:,\(,\", etc.) falls outside that set and breaks the match, even thoughUNQUOTED_CHARalready knows how to handle those same escapes for the no-space case.I extended each pattern so a "safe unit" is either one of those escape pairs or a raw safe character, matching what
UNQUOTED_CHARalready does. No other behavior changes.One thing worth flagging: if the wildcard value contains a bare
or/and/notas a full word (like "No such file or directory" in the original report), the grammar still splits the query there - that's pre-existing behavior unrelated to this bug (I confirmed it happens on currentmaintoo, with or without an escaped char involved), so I left it alone to keep this change scoped to the actual reported failure.How To Test
Before this change, that raises
kql.errors.KqlParseError.Added
test_wildcard_with_spaces_and_escaped_special_charstotests/kuery/test_parser.py. Ran the fulltests/kuerysuite locally (72 tests, all passing) andruff check/ruff format --checkon the changed test file.Checklist
bugmeta:rapid-mergelabel if planning to merge within 24 hoursContributor checklist