timesketch icon indicating copy to clipboard operation
timesketch copied to clipboard

Published 20 hours ago verified publisher icon google

Boolean value exclusion\inclusion filter exception

Open rushattac opened this issue 3 years ago • 1 comments

Describe the bug If an attribute in a timeline contains a boolean value (true\false) and a it was filtered on using the exclusion\inclusion filter feature and exception is thrown.

To Reproduce Steps to reproduce the behavior:

  1. Import data into a timeline with an attribute containing a boolean value.
  2. Apply an inclusion or exclusion filter.
  3. see exception

Expected behavior for the filter to work correctly without throwing an error.

Desktop (please complete the following information): -OS:Ubuntu 20.04.2 LTS -Browser : Firefox -Version: 86.0

Additional context wsgi_error logs related to the issue

[2021-06-24 11:55:22,068] timesketch.elasticsearch/ERROR Unable to run search query: [query_shard_exception] failed to create query: Can't parse boolean value [True], expected [true] or [false]
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/timesketch/lib/datastores/elastic.py", line 565, in search
    _search_result = self.client.search(
  File "/usr/local/lib/python3.8/dist-packages/elasticsearch/client/utils.py", line 84, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/elasticsearch/client/__init__.py", line 1547, in search
    return self.transport.perform_request(
  File "/usr/local/lib/python3.8/dist-packages/elasticsearch/transport.py", line 351, in perform_request
    status, headers_response, data = connection.perform_request(
  File "/usr/local/lib/python3.8/dist-packages/elasticsearch/connection/http_urllib3.py", line 261, in perform_request
    self._raise_error(response.status, raw_data)
  File "/usr/local/lib/python3.8/dist-packages/elasticsearch/connection/base.py", line 181, in _raise_error
    raise HTTP_EXCEPTIONS.get(status_code, TransportError)(
elasticsearch.exceptions.RequestError: RequestError(400, 'search_phase_execution_exception', "failed to create query: Can't parse boolean value [True], expected [true] or [false]")

timesketch version: 20210602

rushattac avatar Jun 24 '21 12:06 rushattac

Good catch! We need to take the type information per attribute into account when creating the filters. I'll look into that as soon as time permits.

berggren avatar Jul 01 '21 07:07 berggren