A single backslash becomes double backslash

I have messages which contain computer name under Windows domain. The format will be domain\computername. However, the message ends up domain\\computername in elasticsearch indice. When I do a search, I need to put domain\\\\computername in my query. Is it the expected behavior?

Where are you seeing the double backslashes? Show a screenshot or dump the raw JSON document.

My CSV file:
2018-10-05T09:05:03+0800,NHS\WARD-0147-A,admin,SCOTT,sqlplus.exe

Query:

curl -X VIEW   http://localhost:9200/logstash-audit-2018.10.05/_search?pretty -H 'Cache-Control: no-cache' -H 'Content-Type: application/json' -d '{
  "query": {
    "query_string": {
     "query": "sid:ORCL1 AND dbuser:SCOTT AND osuser:admin AND module:sqlplus.exe"
    }
  }
}'

Results:

{
  "took" : 1,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : 1,
    "max_score" : 6.2808843,
    "hits" : [
      {
        "_index" : "logstash-audit-2018.10.05",
        "_type" : "doc",
        "_id" : "chvGQWYB_VzXwqnenfyE",
        "_score" : 6.2808843,
        "_source" : {
          "@timestamp" : "2018-10-05T01:05:03.000Z",
          "userhost" : "NHS\\WARD-0147-A",
          "sid" : "ORCL1",
          "return_code" : "",
          "file" : "/appl/audit/ORCL1/20181005091000.txt",
          "offset" : "92",
          "format" : "csv",
          "osuser" : "admin",
          "dbuser" : "SCOTT",
          "module" : "sqlplus.exe",
          "known_source" : "true",
          "@version" : "1",
          "host" : "dbserver1",
          "localtime" : "2018-10-05 09:05:03",
          "message" : "2018-10-05T09:05:03+0800,NHS\\WARD-0147-A,admin,SCOTT,sqlplus.exe",
          "tags" : [
            "audit",
            "known_source"
          ],
          "log_timestamp" : "2018-10-05T09:05:03+0800",
          "type" : "audit"
        }
      }
    ]
  }
}

Query:

curl -X VIEW   http://localhost:9200/logstash-audit-2018.10.05/_search?pretty -H 'Cache-Control: no-cache' -H 'Content-Type: application/json' -d '{
  "query": {
    "query_string": {
     "query": "sid:ORCL1 AND dbuser:SCOTT AND osuser:admin AND module:sqlplus.exe AND userhost:NHS\\WARD-0147-A"
    }
  }
}'

Result:

{
  "took" : 1,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : 0,
    "max_score" : null,
    "hits" : [ ]
  }
}

In Kibana, one backslash is displayed under the Table tab. Under JSON tab, it shows double backslash.

Everything's fine. You need four backslashes in your query because both the JSON serialization and the query language require backslashes to be escaped.

2 Likes

Right. It's the JSON serialization. Thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.