In most places in a query, it is clear from the context whether a value or the name of a field is expected. In these cases, the name of a field can be written with or without quotation marks, meaning the same. For example, math:cos("fieldName") means the same as math:cos(fieldName), because the argument to the function is defined as a string denoting a field name, and not an expression.

However, some field names cannot be written unquoted, because they are not bare words in the CrowdStrike Query Language; for example, host-name or host/name need quotes when used in places where field names are expected: but do not: host.name=*, host[0]=*, and "host-name"=* all work, while host-name=* results in a syntax error.

In expressions, on the other hand, quotation marks always mean a string value, while unquoted field names always mean the value of that field. To use the value of a field with such a name in an expression, the function getField() can be used with the quoted name, like coalesce([host, getField("host-name")]). This works because getField() takes an expression and reads the value of the field with that name.