OpenSearch-Dashboards icon indicating copy to clipboard operation
OpenSearch-Dashboards copied to clipboard
verified publisher icon opensearch-project

[BUG] Impossible to use DQL Search query with $ inside

Open markusg80 opened this issue 1 year ago • 5 comments

Describe the bug

A clear and concise description of what the bug is.

To Reproduce Steps to reproduce the behavior:

  1. Go to Discover
  2. Enter Search String like "winlog.event_data.TargetUserName: *$

Expected behavior Documents with parameter winlog.event_data.TargetUserName and value ending with $ (Computer Accouts) are filtered out

OpenSearch Version 2.11.1

Dashboards Version 2.11.1

Screenshots image

If applicable, add screenshots to help explain your problem.

Host/Environment (please complete the following information):

  • OS: Rocky linux 9.3
  • Firefox 120.0.1

I also cannot escape the $

Add any other context about the problem here.

markusg80 avatar Dec 19 '23 14:12 markusg80

The DQL query under the hood is converted into a DSL request like below. Are you able to able to query using DSL the fields with $ in them?

{
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "multi_match": {
            "type": "best_fields",
            "query": "$",
            "lenient": true
          }
        }
      ]
    }
  }
}

ashwin-pc avatar Dec 28 '23 23:12 ashwin-pc

I try also with this. But it not works.

Should this line "query": "$"

Not be "query": "*$"

Von meinem iPhone gesendet

Am 29.12.2023 um 00:07 schrieb Ashwin P Chandran @.***>:

"query": "$"

markusg80 avatar Dec 29 '23 05:12 markusg80

Is there any further information i have to provide? With the proposed solution of @ashwin-pc i don't get any results.

markusg80 avatar Apr 22 '24 12:04 markusg80

Nope, thi was useful @markusg80. Adding more context here. To reproduce the issue with DQL search queries involving the $ character, follow these steps:

Open the Dashboards Console app and execute the following commands to create an index and ingest data:

PUT /test_index
{
  "mappings": {
    "properties": {
      "winlog.event_data.TargetUserName": {
        "type": "keyword"
      }
    }
  }
}

POST /test_index/_bulk
{ "index": {} }
{ "winlog.event_data.TargetUserName": "user1$" }
{ "index": {} }
{ "winlog.event_data.TargetUserName": "user2" }
{ "index": {} }
{ "winlog.event_data.TargetUserName": "admin$" }

Go to the "Discover" tab and select the test_index index pattern.

Enter winlog.event_data.TargetUserName: *$ in the search bar and observe the results.

This should help reproduce the issue described.

ashwin-pc avatar May 15 '24 02:05 ashwin-pc

With this test i get back two lines

markusg80 avatar Jun 20 '24 14:06 markusg80

Image

markusg80 avatar Jan 16 '25 10:01 markusg80

this is what i get back

markusg80 avatar Jan 16 '25 10:01 markusg80

What is now the next steps?

markusg80 avatar Jan 16 '25 10:01 markusg80

So you are able to search with $ in te query bar. So it looks like there is some other issue here. Whats your original index mapping for the problematic index pattern?

ashwin-pc avatar Mar 07 '25 12:03 ashwin-pc