elasticsplunk icon indicating copy to clipboard operation
elasticsplunk copied to clipboard
verified publisher icon brunotm

Does the plugin handle wildcards?

Open bossi6of9 opened this issue 7 years ago • 5 comments

Hi,

I'm testing out this plugin, and it works fine as long as the queries don't use wildcards. Is this supported?

For example, this works fine:

| ess eaddr="http://1.2.3.4:9200" tsfield="@timestamp" index="nprobe-2018.07.03" latest=now earliest="now-360m" query="IPV4_DST_ADDR:5.6.7.8" fields=*

But this just spins:

| ess eaddr="http://1.2.3.4:9200" tsfield="@timestamp" index="nprobe-2018.07.03" latest=now earliest="now-360m" query="IPV4_DST_ADDR:1.2.3*" fields=*

bossi6of9 avatar Jul 05 '18 14:07 bossi6of9

Hi,

Any update on this issue?

bossi6of9 avatar Jul 16 '18 20:07 bossi6of9

Hi @bossi6of9, I wasn't able to reproduce it with very similar parameters searching against large indices.

Can you confirm that this search works in kibana dev tools or using curl ?

GET nprobe-2018.07.03/_search
{
	"sort": [{"@timestamp": {"order": "asc"}}],
	"query": {
		"bool": {
			"must": [
				{
					"range": {
						"@timestamp": {
							"gte": "now-360m",
							"lte": "now"
						}
					}
				},
				{
					"query_string": {
						"query": "IPV4_DST_ADDR:1.2.3*"
					}
				}
			]
		}
	}
}

brunotm avatar Jul 17 '18 08:07 brunotm

Thanks for getting back to me.

When I enter that in the Kibana console, I get:

{ "error": { "root_cause": [ { "type": "query_shard_exception", "reason": "No mapping found for [timestamp] in order to sort on", "index_uuid": "9FfQwC2aR7KoQAZEOuTBtw", "index": "netflow-2018.07.17" } ], "type": "search_phase_execution_exception", "reason": "all shards failed", "phase": "query", "grouped": true, "failed_shards": [ { "shard": 0, "index": "netflow-2018.07.17", "node": "hmTS1JVQS8-MEXeBpRUP8A", "reason": { "type": "query_shard_exception", "reason": "No mapping found for [timestamp] in order to sort on", "index_uuid": "9FfQwC2aR7KoQAZEOuTBtw", "index": "netflow-2018.07.17" } } ] }, "status": 400 }

If I use discover, and use a wildcard, it works. If I try it on the splunk search bar, the job never finishes.

On Tue, Jul 17, 2018 at 4:38 AM, Bruno Moura [email protected] wrote:

Hi @bossi6of9 https://github.com/bossi6of9, I wasn't able to reproduce it with very similar parameters searching against large indices.

Can you confirm that this search works in kibana dev tools or using curl ?

GET nprobe-2018.07.03/_search { "sort": [{"timestamp": {"order": "asc"}}], "query": { "bool": { "must": [ { "range": { "timestamp": { "gte": "now-360m", "lte": "now" } } }, { "query_string": { "query": "IPV4_DST_ADDR:1.2.3*" } } ] } } }

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/brunotm/elasticsplunk/issues/17#issuecomment-405505159, or mute the thread https://github.com/notifications/unsubscribe-auth/Aih4LR80mos8F_PwP_ToIXGFrPWG9HzVks5uHaJpgaJpZM4VD8Xz .

bossi6of9 avatar Jul 17 '18 13:07 bossi6of9

Update:

I tried another search, using this: query="IPV4_DST_ADDR:1..." and it worked. However, if I try that with query="IPV4_DST_ADDR:10...", then it never finishes.

On Tue, Jul 17, 2018 at 9:12 AM, Scott Bossi [email protected] wrote:

Thanks for getting back to me.

When I enter that in the Kibana console, I get:

{ "error": { "root_cause": [ { "type": "query_shard_exception", "reason": "No mapping found for [timestamp] in order to sort on", "index_uuid": "9FfQwC2aR7KoQAZEOuTBtw", "index": "netflow-2018.07.17" } ], "type": "search_phase_execution_exception", "reason": "all shards failed", "phase": "query", "grouped": true, "failed_shards": [ { "shard": 0, "index": "netflow-2018.07.17", "node": "hmTS1JVQS8-MEXeBpRUP8A", "reason": { "type": "query_shard_exception", "reason": "No mapping found for [timestamp] in order to sort on", "index_uuid": "9FfQwC2aR7KoQAZEOuTBtw", "index": "netflow-2018.07.17" } } ] }, "status": 400 }

If I use discover, and use a wildcard, it works. If I try it on the splunk search bar, the job never finishes.

On Tue, Jul 17, 2018 at 4:38 AM, Bruno Moura [email protected] wrote:

Hi @bossi6of9 https://github.com/bossi6of9, I wasn't able to reproduce it with very similar parameters searching against large indices.

Can you confirm that this search works in kibana dev tools or using curl ?

GET nprobe-2018.07.03/_search { "sort": [{"timestamp": {"order": "asc"}}], "query": { "bool": { "must": [ { "range": { "timestamp": { "gte": "now-360m", "lte": "now" } } }, { "query_string": { "query": "IPV4_DST_ADDR:1.2.3*" } } ] } } }

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/brunotm/elasticsplunk/issues/17#issuecomment-405505159, or mute the thread https://github.com/notifications/unsubscribe-auth/Aih4LR80mos8F_PwP_ToIXGFrPWG9HzVks5uHaJpgaJpZM4VD8Xz .

bossi6of9 avatar Jul 17 '18 14:07 bossi6of9

Thanks for getting back to me. When I enter that in the Kibana console, I get:

No problem!

Look at the current query, i have later edited the post to correct the definition from timestamp to @timestamp that is your current time field. This is from where the missing mapping error comes from.

GET nprobe-2018.07.03/_search
{
	"sort": [{"@timestamp": {"order": "asc"}}],
	"query": {
		"bool": {
			"must": [
				{
					"range": {
						"@timestamp": {
							"gte": "now-360m",
							"lte": "now"
						}
					}
				},
				{
					"query_string": {
						"query": "IPV4_DST_ADDR:1.2.3*"
					}
				}
			]
		}
	}
}

brunotm avatar Jul 17 '18 15:07 brunotm