A single backslash becomes double backslash

Nww_Pot_Fung_Nng · October 5, 2018, 11:38am

I have messages which contain computer name under Windows domain. The format will be domain\computername. However, the message ends up domain\\computername in elasticsearch indice. When I do a search, I need to put domain\\\\computername in my query. Is it the expected behavior?

magnusbaeck · October 5, 2018, 1:32pm

Where are you seeing the double backslashes? Show a screenshot or dump the raw JSON document.

Nww_Pot_Fung_Nng · October 5, 2018, 2:56pm

My CSV file:
2018-10-05T09:05:03+0800,NHS\WARD-0147-A,admin,SCOTT,sqlplus.exe

Query:

curl -X VIEW   http://localhost:9200/logstash-audit-2018.10.05/_search?pretty -H 'Cache-Control: no-cache' -H 'Content-Type: application/json' -d '{
  "query": {
    "query_string": {
     "query": "sid:ORCL1 AND dbuser:SCOTT AND osuser:admin AND module:sqlplus.exe"
    }
  }
}'

Results:

{
  "took" : 1,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : 1,
    "max_score" : 6.2808843,
    "hits" : [
      {
        "_index" : "logstash-audit-2018.10.05",
        "_type" : "doc",
        "_id" : "chvGQWYB_VzXwqnenfyE",
        "_score" : 6.2808843,
        "_source" : {
          "@timestamp" : "2018-10-05T01:05:03.000Z",
          "userhost" : "NHS\\WARD-0147-A",
          "sid" : "ORCL1",
          "return_code" : "",
          "file" : "/appl/audit/ORCL1/20181005091000.txt",
          "offset" : "92",
          "format" : "csv",
          "osuser" : "admin",
          "dbuser" : "SCOTT",
          "module" : "sqlplus.exe",
          "known_source" : "true",
          "@version" : "1",
          "host" : "dbserver1",
          "localtime" : "2018-10-05 09:05:03",
          "message" : "2018-10-05T09:05:03+0800,NHS\\WARD-0147-A,admin,SCOTT,sqlplus.exe",
          "tags" : [
            "audit",
            "known_source"
          ],
          "log_timestamp" : "2018-10-05T09:05:03+0800",
          "type" : "audit"
        }
      }
    ]
  }
}

Query:

curl -X VIEW   http://localhost:9200/logstash-audit-2018.10.05/_search?pretty -H 'Cache-Control: no-cache' -H 'Content-Type: application/json' -d '{
  "query": {
    "query_string": {
     "query": "sid:ORCL1 AND dbuser:SCOTT AND osuser:admin AND module:sqlplus.exe AND userhost:NHS\\WARD-0147-A"
    }
  }
}'

Result:

{
  "took" : 1,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : 0,
    "max_score" : null,
    "hits" : [ ]
  }
}

In Kibana, one backslash is displayed under the Table tab. Under JSON tab, it shows double backslash.

magnusbaeck · October 5, 2018, 4:41pm

Everything's fine. You need four backslashes in your query because both the JSON serialization and the query language require backslashes to be escaped.

Nww_Pot_Fung_Nng · October 6, 2018, 1:24am

Right. It's the JSON serialization. Thanks!

system · November 3, 2018, 1:24am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.