Environment
- Carbon Black Cloud Console: All versions
- Carbon Black Cloud Sensors: All versions
Symptoms
Searching the Alerts page for device_name: AAA-XYZ returns alerts for any device_name ending in "-XYY" (i.e. BBB-XYZ, CCC-XYZ, etc)
Cause
This is functioning as designed. The alerts page uses Elasticsearch as underlying search engine. This engine requires special characters be escaped, including device_name field
Resolution
- To achieve the desired result, place the name of the device in double-quotes as so:
alerts query -> device_name:"AAA-XYZ"
will only return alerts for AAA-XYZ
Additional Notes
The Investigate page's device_name does NOT need escaping, so it is different behavior (due to a different search engine) than the Alerts page.
Related Content