Does case matter in timelion queries (which use "and" or "or")

bf31415 · September 15, 2019, 4:21pm

I'm trying to build a query for ssh traffic-- for my field names, if the ipProtocol is 6 (tcp) and srcPort is 22 or dstPort is 22, then this is a match.

In timelion I've created the following two queries:

.es(index=sessions2*, q="ipProtocol:6 and (dstPort:22 or srcPort:22)", timefield=lastPacket,metric=count).color(red).label("ssh-lower-case"),

.es(index=sessions2*, q="ipProtocol:6 AND (dstPort:22 OR srcPort:22)", timefield=lastPacket,metric=count).color(blue).label("ssh-upper-case").points(show=true).lines(show=true)

and the lines shown are different. Apparently the above two queries yield different results.

So two questions.

Is the above logic correct if I want "ipProtocol:6 and (srcPort:22 or dstPort:22)"?
Does case matter and if so should it be upper or lower?

THanks

Brandon_Kobel · September 16, 2019, 2:35pm

Hey @bf31415, when using the q= parameter for Timelion, that is the equivalent of the q parameter for the Elasticsearch URI Search, which uses the Lucene Query Syntax. You'll want to use the capitalized versions of AND and OR, or else the search will just be a "free text search".

system · October 14, 2019, 2:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.