ElasticSerch returns an error if the query contains strings with brackets and other characters

Description:

The application has the ability to filter the date by key values. For example, if you need to display all items in which "Result: success";

For one of the keys, the value is always in the form of a JS object, with quotes, etc. This results in elasticsearch not being able to parse the JSON correctly. For example, we are looking for all items in which the property changeSet: {'filteringRuleName': null}

The question is: how to work with such a request so that the Elastic can process it normally?

Fragment of a working request(In this case, I am looking for a date with property action = EDIT):
"query_string": { "query": "action:EDIT"}

Fragment of a non-working query example*(In this case, I am looking for a date whose property changeSet = {'filteringRuleName': null})*:
"query_string": { "query": "changeSet:{'filteringRuleName':null}"}

Returned error code:

"reason": {
                    "type": "query_shard_exception",
                    "reason": "Failed to parse query [changeSet:{'filteringRuleName':null}]",
                    "index_uuid": "h0xXZj0eQGWrSIYTcfv5nQ",
                    "index": "cxc-audit-22-30-2021.02.05",
                    "caused_by": {
                        "type": "parse_exception",
                        "reason": "parse_exception: Cannot parse 'changeSet:{'filteringRuleName':null}': Encountered \" \"}\" \"} \"\" at line 1, column 35.\nWas expecting:\n    \"TO\" ...\n    ",
                        "caused_by": {
                            "type": "parse_exception",
                            "reason": "parse_exception: Encountered \" \"}\" \"} \"\" at line 1, column 35.\nWas expecting:\n    \"TO\" ...\n    "
                        }
                    }
                }

You need to double escape the colons & braces for that to work.

"query": "changeSet\\:\\{'filteringRuleName'\\:null\\}"

2 Likes

The error is no longer thrown.
But the result is returned empty, as if there is no such data.

Request:
{ "size": 10, "from": 0, "sort": [ { "@timestamp": { "order": "desc" } } ], "query": { "bool": { "must": [ { "bool": { "filter": [ { "range": { "@timestamp": { "from": 1614771196893, "to": 1614792796893, "format": "epoch_millis" } } }, { "query_string": { "query": "changeSet\\:\\{'filteringRuleName'\\:null\\}" } } ] } }, { "bool": { "must": [ { "range": { "@timestamp": { "from": 1614771196893, "to": 1614792796893, "format": "epoch_millis" } } }, { "query_string": { "query": "changeSet\\:\\{'filteringRuleName'\\:null\\}" } }, { "regexp": { "action": { "value": ".*edit.*" } } } ] } } ] } } }

Response:
{ "took": 57, "timed_out": false, "_shards": { "total": 33, "successful": 33, "skipped": 0, "failed": 0 }, "hits": { "total": 0, "max_score": null, "hits": [] } }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.