Elastic SQL and cURL not playing nice

I'm having the hardest time trying to figure out what i'm doing wrong here and hope that someone else has some pointers

I can run the following query in Dev Tools

POST _sql
{
  "query": "SELECT agent.hostname AS HOST, timestamp AS TIME, round(TEMPERATURE_A,1) AS TEMP FROM \"test*\" WHERE agent.hostname = 'host-1-1' AND TEMP is not null AND TIME < NOW() AND TIME > NOW() - INTERVAL 250 MINUTES GROUP BY TIME,HOST,TEMP ORDER BY TIME,HOST DESC LIMIT 5"
}

but the curl command that it gives me to use

curl -XPOST "http://localhost:9200/_sql" -H 'Content-Type: application/json' -d'{ "query": "SELECT agent.hostname AS HOST, timestamp AS TIME, round(TEMPERATURE_A,1) AS TEMP FROM \"test*\" WHERE agent.hostname = \"host-1-1\" AND TEMP is not null AND TIME < NOW() AND TIME > NOW() - INTERVAL 250 MINUTES GROUP BY TIME,HOST,TEMP ORDER BY TIME,HOST DESC LIMIT 5"}'

results in an error. I'm confident its related to this part not being able to get parsed correctly:

agent.hostname = \"host-1-1\"

Depending on how I escape it, I get either an Unexpected character error or Found 1 problem(s)\nline 1:127: Unknown column [host-1-1]" but never the results I am looking for. I can query it the following way but its not optimal

./bin/elasticsearch-sql-cli -d http://user:password@localhost:9200 < test.sql

Anyone have any experience with something similar?

Hmm yes interesting....

I have constructed some similar data and queries and having same issues with the WHERE the - seems to be an issue, then when I compared to a value without an - then I am getting an Unknown column error.

What I did get to work is put the query in a data.json file then use this syntax

curl -XPOST "http://localhost:9200/_sql?format=txt" -H 'Content-Type: application/json' -d @data.json

And that worked.

But now I am curious too, suspect it is a shell + curl parsing issue

SQL distinguishes "double-quoted-strings" (which are things like column names possibly containing funny characters) from 'single-quoted-strings' (which are string literals).

Your original query says WHERE agent.hostname = 'host-1-1' where host-1-1 is a string literal since it uses single quotes.

The curl command says WHERE agent.hostname = "host-1-1" where host-1-1 is a column name since it uses double quotes.

I think you want this:

curl 'http://localhost:9200/_sql' -H 'Content-type: application/json' --data-binary "{\"query\":\"SELECT agent.hostname AS HOST, timestamp AS TIME, round(TEMPERATURE_A,1) AS TEMP FROM \\\"test*\\\" WHERE agent.hostname = 'host-1-1' AND TEMP is not null AND TIME < NOW() AND TIME > NOW() - INTERVAL 250 MINUTES GROUP BY TIME,HOST,TEMP ORDER BY TIME,HOST DESC LIMIT 5\"}"

Using double-quotes means you can include single-quotes in the string, but also means you must escape all the double-quotes. Alternatively you can use this:

curl 'http://localhost:9200/_sql' -H 'Content-type: application/json' --data-binary $'{"query":"SELECT agent.hostname AS HOST, timestamp AS TIME, round(TEMPERATURE_A,1) AS TEMP FROM \\\"test*\\\" WHERE agent.hostname = \'host-1-1\' AND TEMP is not null AND TIME < NOW() AND TIME > NOW() - INTERVAL 250 MINUTES GROUP BY TIME,HOST,TEMP ORDER BY TIME,HOST DESC LIMIT 5"}'

A $'dollar-single-quoted-string' works like a "double-quoted-string" except double-quotes are no longer special so do not need escaping. You still need to escape the double-quotes inside the JSON string, however, because that's how JSON works, and then you need to escape the escape characters too, hence FROM \\\"test*\\\".

However really I would do what @stephenb did and put the JSON in a file, because this avoids all the shell quoting issues.

2 Likes

By the way @rdesanno if the curl command coming from the Dev Tools doesn't match what happens in Dev Tools itself then I think that's a Kibana bug. Please would you open an issue on Github about it?

1 Like

THIS IS THE SOLUTION!!

Wow, I was triple-escaping the hostname but never thought to do just the index. Thanks for taking the time to explain this to me! You just made my day!

1 Like

Will do

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.