ElasticSearch filter plugin "Failed to parse query" Was Expecting TO

Elastic Stack Logstash
1

Hi,
I am using Elasicsearch filter plugin to check the current event with the previous events.

My elasticsearch filter plugin looks like this

elasticsearch {
               hosts => "xx.xx.xx.xx"
               index => "all-interface-status"
               query => '{"_source":["ControllerName","parsed_interfaces.brief.name","parsed_interfaces.brief.host-inf","parsed_interfaces.detail.hw-stats.crc-error","@timestamp"],
			   "query":{
			   "bool":
			   {"must":
			   [{"match":{"ControllerName":"%{controller}"}},
			   {"match":{"parsed_interfaces.brief.name":"%{interface}"}},
			   {"match":{"parsed_interfaces.brief.host-inf":"%{port_number}"}}],
			   "filter":[
			   {"range":{"@timestamp":{"gte":"now-5m","lte": "now"}}}]}}}'
              }

And I am getting the below error.

 Failed to query elasticsearch for previous event {:index=>"all-interface-status", :error=>"[400]
 {\"error\":{\"root_cause\":[{\"type\":\"query_shard_exception\",\"reason\":\"Failed to parse query 
 [{\\\"_source\\\":
[\\\"ControllerName\\\",\\\"parsed_interfaces.brief.name\\\",\\\"parsed_interfaces.brief.host-inf\\\",\\\"parsed_interfaces.detail.hw-stats.crc-error\\\",\\\"@timestamp\\\"],
 \\\"query\\\":{\\\"bool\\\":{\\\"must\\\":
 [{\\\"match\\\":{\\\"ControllerName\\\":\\\"POD3-Controller1\\\"}},
 {\\\"match\\\":{\\\"parsed_interfaces.brief.name\\\":\\\"vni-0/0\\\"}},
 {\\\"match\\\":{\\\"parsed_interfaces.brief.host-inf\\\":\\\"eth1\\\"}}],
 \\\"filter\\\":
 [{\\\"range\\\":{\\\"@timestamp\\\":{\\\"gte\\\":\\\"now-5m\\\",\\\"lte\\\": \\\"now\\\"}}}]}}}]\",
 \"index_uuid\":\"DxGqpGNJQqOvoJZOX9Amng\",\"index\":\"all-interface-status\"}],
 \"type\":\"search_phase_execution_exception\",\"reason\":\"all shards failed\",
\"phase\":\"query\",\"grouped\":true,\"failed_shards\":[{\"shard\":0,\"index\":\"all-interface-status\",\"node\":\"ia4IUb0vRzOmDwNF4-69Rg\",\"reason\":{\"type\":\"query_shard_exception\",
 \"reason\":\"Failed to parse query
[{\\\"_source\\\":
[\\\"ControllerName\\\",\\\"parsed_interfaces.brief.name\\\",\\\"parsed_interfaces.brief.host-inf\\\",\\\"parsed_interfaces.detail.hw-stats.crc-error\\\",\\\"@timestamp\\\"],
\\\"query\\\":{\\\"bool\\\":{\\\"must\\\":
[{\\\"match\\\":{\\\"ControllerName\\\":\\\"POD3-Controller1\\\"}},
{\\\"match\\\":{\\\"parsed_interfaces.brief.name\\\":\\\"vni-0/0\\\"}},
{\\\"match\\\":{\\\"parsed_interfaces.brief.host-inf\\\":\\\"eth1\\\"}}],
\\\"filter\\\":
[{\\\"range\\\":{\\\"@timestamp\\\":{\\\"gte\\\":\\\"now-5m\\\",\\\"lte\\\": \\\"now\\\"}}}]}}}]\",
\"index_uuid\":\"DxGqpGNJQqOvoJZOX9Amng\",\"index\":\"all-interface-status\",\"caused_by\":{\"type\":\"parse_exception\",\"reason\":\"Cannot parse
'{\\\"_source\\\":
[\\\"ControllerName\\\",\\\"parsed_interfaces.brief.name\\\",\\\"parsed_interfaces.brief.host-inf\\\",\\\"parsed_interfaces.detail.hw-stats.crc-error\\\",\\\"@timestamp\\\"],
\\\"query\\\":{\\\"bool\\\":{\\\"must\\\":
[{\\\"match\\\":{\\\"ControllerName\\\":\\\"POD3-Controller1\\\"}},
{\\\"match\\\":{\\\"parsed_interfaces.brief.name\\\":\\\"vni-0/0\\\"}},
{\\\"match\\\":{\\\"parsed_interfaces.brief.host-inf\\\":\\\"eth1\\\"}}],
\\\"filter\\\":
[{\\\"range\\\":{\\\"@timestamp\\\":{\\\"gte\\\":\\\"now-5m\\\",\\\"lte\\\": \\\"now\\\"}}}]}}}'
: Encountered \\\" \\\"]\\\" \\\"] \\\"\\\" at line 1, column 153.\\nWas expecting:\\n    \\\"TO\\\" ...\\n    \",\"caused_by\":
{\"type\":\"parse_exception\",\"reason\"
:\"Encountered \\\" \\\"]\\\" \\\"] \\\"\\\" at line 1, column 153.\\nWas expecting:\\n    \\\"TO\\\" ...\\n    \"}}}}]},\"status\":400}"}

Please help me to get this resolved.

2

@Badger could you please help me on this?

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.