Adding quotes to variables

orhiee · June 19, 2017, 1:50pm

hello,

so i have a elasticsearch filter added to my logstash and I am trying to search all the IP address i get, but i get an ipv6 it messes up, due to the ":" in the address:

so my query is:

query => "type:XYZ AND IP:%{[source_ip]}"

normally it works by creating a query like:
query => "type:XYZ AND IP:10.10.10.10}"
but when i get an ipv6 it turn into something like;
query => "type:XYZ AND IP:ff:ff:ff::}" and logstash doesnt like the extra ":" in the search

so i am trying to turn my search into: query => "type:XYZ AND IP:"ff:ff:ff:"}" with a " added to the begining and end but cant seem to get it to work tried the below:

query => "type:XYZ AND IP:'%{[source_ip]'}" - doenst see source_ip as variable
query => "type:XYZ AND IP:\'%{[source_ip]\'}" - ads 3 \ to the search

open to ideas,

thanks in advance

magnusbaeck · June 19, 2017, 2:21pm

query => "type:XYZ AND IP:'%{[source_ip]'}"

Your closing ' is inside the braces.

This should work:

query => 'type:XYZ AND IP:"%{[source_ip]}"'

orhiee · June 19, 2017, 2:46pm

i was hoping solution would be that simple

did update to: query => 'type:threat_intell AND IP:"%{[dest_ip]"}'
but still not working, its not converting the variable to its value:

in short thequerly lookslike: query=>"type:XYZ AND IP:\"%{[dest_ip]\"}"

full:
[2017-06-19T15:44:10,937][WARN ][logstash.filters.elasticsearch] Failed to query elasticsearch for previous event {:index=>"XYZ*", :query=>"type:XYZ AND IP:\"%{[dest_ip]\"}", :event=>2017-06-19T14:44:01.689Z IEDUBEACDSO01 1497883439.463405 FvIiTOuxcnqysmw5j 13.107.6.159 192.168.250.122 CLMyuU2PNII2RMfbca SSL 0 SHA1,X509,MD5 application/pkix-cert - 0.000000 F F 1914 - 0 0 F -e61683ff8024828fe144ce88efa28ace d332f9f56c3c5b4455587927eb0ed3203980d0eb - -, :error=>#<Elasticsearch::Transport::Transport::Errors::BadRequest: [400] {"error":{"root_cause":[{"type":"query_shard_exception","reason":"Failed to parse query [type:XYZ AND IP:\"%{[dest_ip]\"}]","index_uuid":"7sJja53ARamnfZQL441IcA","index":"XYZ-2017.04.28"},{"type":"query_shard_exception","reason":"Failed to parse query [type:XYZ AND IP:\"%{[dest_ip]\"}]","index_uuid":"wjc04MuGT2mg6iEEsa-b8Q","index":"XYZ-2017.05.17"},{"type":"query_shard_exception","reason":"Failed to parse query [type:XYZ AND IP:\"%{[dest_ip]\"}]","index_uuid":"42Vp2zCdSvmgyk2NTsc_Rw","index":"XYZ-2017.06.08"},{"type":"query_shard_exception","reason":"Failed to parse query [type:XYZ AND IP:\"%{[dest_ip]\"}]","index_uuid":"g0C4n8lvRw6LwPKr2cB_4w","index":"XYZ-2017.06.15"},{"type":"query_shard_exception","reason":"Failed to parse query [type:XYZ AND IP:\"%{[dest_ip]\"}]","index_uuid":"6l9aUg2oS3uQzvxbSLh0mg","index":"XYZ-2017.06.19"}],"type":"search_phase_execution_exception","reason":"all shards failed","phase":"query","grouped":true,"failed_shards":[{"shard":0,"index":"XYZ-2017.04.28","node":"43pItJ_-TD6DbBoIm_upHA","reason":{"type":"query_shard_exception","reason":"Failed to parse query [type:XYZ AND IP:\"%{[dest_ip]\"}]","index_uuid":"7sJja53ARamnfZQL441IcA","index":"XYZ-2017.04.28","caused_by":{"type":"parse_exception","reason":"Cannot parse 'type:XYZ AND IP:\"%{[dest_ip]\"}': Lexical error at line 1, column 41. Encountered: <EOF> after : \"\"","caused_by":{"type":"token_mgr_error","reason":"Lexical error at line 1, column 41. Encountered: <EOF> after : \"\""}}}},{"shard":0,"index":"XYZ-2017.05.17","node":"43pItJ_-TD6DbBoIm_upHA","reason":{"type":"query_shard_exception","reason":"Failed to parse query [type:XYZ AND IP:\"%{[dest_ip]\"}]","index_uuid":"wjc04MuGT2mg6iEEsa-b8Q","index":"XYZ-2017.05.17","caused_by":{"type":"parse_exception","reason":"Cannot parse 'type:XYZ AND IP:\"%{[dest_ip]\"}': Lexical error at line 1, column 41. Encountered: <EOF> after : \"\"","caused_by":{"type":"token_mgr_error","reason":"Lexical error at line 1, column 41. Encountered: <EOF> after : \"\""}}}},{"shard":0,"index":"XYZ-2017.06.08","node":"43pItJ_-TD6DbBoIm_upHA","reason":{"type":"query_shard_exception","reason":"Failed to parse query [type:XYZ AND IP:\"%{[dest_ip]\"}]","index_uuid":"42Vp2zCdSvmgyk2NTsc_Rw","index":"XYZ-2017.06.08","caused_by":{"type":"parse_exception","reason":"Cannot parse 'type:XYZ AND IP:\"%{[dest_ip]\"}': Lexical error at line 1, column 41. Encountered: <EOF> after : \"\"","caused_by":{"type":"token_mgr_error","reason":"Lexical error at line 1, column 41. Encountered: <EOF> after : \"\""}}}},{"shard":0,"index":"XYZ-2017.06.15","node":"43pItJ_-TD6DbBoIm_upHA","reason":{"type":"query_shard_exception","reason":"Failed to parse query [type:XYZ AND IP:\"%{[dest_ip]\"}]","index_uuid":"g0C4n8lvRw6LwPKr2cB_4w","index":"XYZ-2017.06.15","caused_by":{"type":"parse_exception","reason":"Cannot parse 'type:XYZ AND IP:\"%{[dest_ip]\"}': Lexical error at line 1, column 41. Encountered: <EOF> after : \"\"","caused_by":{"type":"token_mgr_error","reason":"Lexical error at line 1, column 41. Encountered: <EOF> after : \"\""}}}},{"shard":0,"index":"XYZ-2017.06.19","node":"43pItJ_-TD6DbBoIm_upHA","reason":{"type":"query_shard_exception","reason":"Failed to parse query [type:XYZ AND IP:\"%{[dest_ip]\"}]","index_uuid":"6l9aUg2oS3uQzvxbSLh0mg","index":"XYZ-2017.06.19","caused_by":{"type":"parse_exception","reason":"Cannot parse 'type:XYZ AND IP:\"%{[dest_ip]\"}': Lexical error at line 1, column 41. Encountered: <EOF> after : \"\"","caused_by":{"type":"token_mgr_error","reason":"Lexical error at line 1, column 41. Encountered: <EOF> after : \"\""}}}}]},"status":400}>}

magnusbaeck · June 19, 2017, 8:58pm

did update to: query => 'type:threat_intell AND IP:"%{[dest_ip]"}'

That's not what I suggested you to do. Pay attention to the quotes and their relationship to the brackets and braces.

orhiee · June 21, 2017, 10:37am

as always you are right

i should have been more careful

thanks again it works like a charm

system · July 19, 2017, 10:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.