Searching on numeric fields such as device_id is handled differently than fields with string values. This has to do with the way Lucene handles wildcards for numeric fields.
| Query | Works? |
|---|---|
process_pid:1234 |
Yes |
-process_pid:1234 |
Yes |
process_pid:[* TO *] |
Yes |
-process_pid:[* TO *] |
Yes |
process_pid:* |
No |
-process_pid:* |
No |
The following table lists all the numeric fields that require range values for wildcard searches:
childproc_cmdline_length |
childproc_count |
crossproc_count |
device_group_id |
device_id |
device_policy_id |
event_threat_score |
fileless_scriptload_cmdline_length |
filemod_count |
ingress_time |
modload_count |
netconn_count |
netconn_port |
parent_cmdline_length |
parent_pid |
process_cmdline_length |
process_duration |
process_pid |
regmod_count |
report_severity |
scriptload_count |
These are fields with numeric values that do not behave this way (can use simple * as wildcard value); these fields are actually stored as strings, not integers:
device_idevent_idevent_threat_scorenetconn_portprocess_product_versionreport_severity
