[Discover][ESQL] Fix filtering by multiline string fields (elastic#250047)

tfcmarques · web-flow · commit 8bd336238d03 · 2026-01-23T09:46:08.000Z
## Summary This PR aims to fix a bug related with adding filters to ESQL queries for multiline string fields. This was first detected when working with the Log overview in the Discover flyout. An error/exception message that contained line breaks caused the generated query, when applying "Filter for value" on the content breakdown, to be invalid in ESQL. Closes elastic#243347 ### Problem When filtering by a field value (e.g., exception.message) that contains line breaks in ESQL mode, the generated query was invalid because the `escapeStringValue` function did not escape newline characters. The literal newlines were inserted directly into the query string, breaking ESQL syntax. ### Changes - Updated `escapeStringValue` in `kbn-esql-utils` to escape newlines (\n), carriage returns (\r) and tabs (\t) - Added unit tests covering line breaks, carriage returns, tabs and combined special characters ### Demo #### Before https://github.com/user-attachments/assets/5e80c9e3-6c60-4643-9fa6-adbce1b63645 #### After https://github.com/user-attachments/assets/aaeb8818-74be-4987-bdcb-321a6269fb9a
diff --git a/src/platform/packages/shared/kbn-esql-utils/src/utils/append_to_query/append_where.test.ts b/src/platform/packages/shared/kbn-esql-utils/src/utils/append_to_query/append_where.test.ts
@@ -253,4 +253,60 @@ AND MATCH(\`tags.keyword\`, "info") AND MATCH(\`tags.keyword\`, "success")`
 | WHERE \`tags.keyword\` is null`
     );
   });
+
+  it('properly escapes values containing line breaks', () => {
+    const messageWithLineBreaks = `Error occurred at line 10\nStack trace:\n  at function foo()`;
+
+    expect(
+      appendWhereClauseToESQLQuery(
+        'from logs-*',
+        'exception.message',
+        messageWithLineBreaks,
+        '+',
+        'string'
+      )
+    ).toBe(
+      `from logs-*
+| WHERE \`exception.message\` == "Error occurred at line 10\\nStack trace:\\n  at function foo()"`
+    );
+  });
+
+  it('properly escapes values containing carriage returns and tabs', () => {
+    const messageWithReturnsAndTabs = 'Error\r\nwith\ttabs';
+
+    expect(
+      appendWhereClauseToESQLQuery(
+        'from logs-*',
+        'message',
+        messageWithReturnsAndTabs,
+        '+',
+        'string'
+      )
+    ).toBe(
+      `from logs-*
+| WHERE \`message\` == "Error\\r\\nwith\\ttabs"`
+    );
+  });
+
+  it('properly escapes line breaks in multivalue MATCH clauses', () => {
+    const valuesWithLineBreaks = ['error\nmessage', 'another\nvalue'];
+
+    expect(
+      appendWhereClauseToESQLQuery('from logs-*', 'message', valuesWithLineBreaks, '+', 'string')
+    ).toBe(
+      `from logs-*
+| WHERE MATCH(\`message\`, "error\\nmessage") AND MATCH(\`message\`, "another\\nvalue")`
+    );
+  });
+
+  it('properly escapes all possible special characters in a string value', () => {
+    const complexValue = 'Error: "path\\to\\file"\nStack trace\r\nwith\ttabs';
+
+    expect(
+      appendWhereClauseToESQLQuery('from logs-*', 'message', complexValue, '+', 'string')
+    ).toBe(
+      `from logs-*
+| WHERE \`message\` == "Error: \\"path\\\\to\\\\file\\"\\nStack trace\\r\\nwith\\ttabs"`
+    );
+  });
 });
diff --git a/src/platform/packages/shared/kbn-esql-utils/src/utils/append_to_query/utils.test.ts b/src/platform/packages/shared/kbn-esql-utils/src/utils/append_to_query/utils.test.ts
@@ -7,7 +7,7 @@
  * License v3.0 only", or the "Server Side Public License, v 1".
  */
 
-import { appendToESQLQuery } from './utils';
+import { appendToESQLQuery, escapeStringValue } from './utils';
 
 describe('appendToESQLQuery', () => {
   it('append the text on a new line after the query', () => {
@@ -25,3 +25,33 @@ describe('appendToESQLQuery', () => {
     );
   });
 });
+
+describe('escapeStringValue', () => {
+  it('wraps value in double quotes', () => {
+    expect(escapeStringValue('hello')).toBe('"hello"');
+  });
+
+  it('escapes backslashes', () => {
+    expect(escapeStringValue('path\\to\\file')).toBe('"path\\\\to\\\\file"');
+  });
+
+  it('escapes double quotes', () => {
+    expect(escapeStringValue('say "hello"')).toBe('"say \\"hello\\""');
+  });
+
+  it('escapes newlines', () => {
+    expect(escapeStringValue('line1\nline2')).toBe('"line1\\nline2"');
+  });
+
+  it('escapes carriage returns', () => {
+    expect(escapeStringValue('line1\rline2')).toBe('"line1\\rline2"');
+  });
+
+  it('escapes tabs', () => {
+    expect(escapeStringValue('col1\tcol2')).toBe('"col1\\tcol2"');
+  });
+
+  it('handles all special characters combined', () => {
+    expect(escapeStringValue('a\\b"c\nd\re\tf')).toBe('"a\\\\b\\"c\\nd\\re\\tf"');
+  });
+});
diff --git a/src/platform/packages/shared/kbn-esql-utils/src/utils/append_to_query/utils.ts b/src/platform/packages/shared/kbn-esql-utils/src/utils/append_to_query/utils.ts
@@ -70,10 +70,15 @@ export function getSupportedOperators(): SupportedOperators[] {
 }
 
 /**
- * Escapes a string value for use in ES|QL queries by escaping backslashes and quotes
+ * Escapes a string value for use in ES|QL queries by escaping special characters
  */
 export function escapeStringValue(val: string): string {
-  return `"${val.replace(/\\/g, '\\\\').replace(/\"/g, '\\"')}"`;
+  return `"${val
+    .replace(/\\/g, '\\\\')
+    .replace(/\"/g, '\\"')
+    .replace(/\n/g, '\\n')
+    .replace(/\r/g, '\\r')
+    .replace(/\t/g, '\\t')}"`;
 }
 
 /**
