The documentation explains how field names can be written with or without quotation marks in CrowdStrike Query Language, with special attention to cases where quotes are required for field names containing hyphens or special characters. It also covers how to properly use field names in expressions, including the use of the getField() function when working with field names that contain special characters.

In most places in a query, it is clear from the context whether a value or the name of a field is expected. In these cases, the name of a field can be written with or without quotation marks, meaning the same. For example, math:cos("fieldName") means the same as math:cos(fieldName), because the argument to the function is defined as a string denoting a field name, and not an expression.

However, some field names cannot be written unquoted, because they are not bare words in the CrowdStrike Query Language; for example, host-name or host/name need quotes when used in places where field names are expected: but do not: host.name=*, host[0]=*, and "host-name"=* all work, while host-name=* results in a syntax error.

In expressions, on the other hand, quotation marks always mean a string value, while unquoted field names always mean the value of that field. To use the value of a field with such a name in an expression, the function getField() can be used with the quoted name, like coalesce([host, getField("host-name")]). This works because getField() takes an expression and reads the value of the field with that name.