I have an EQL sequence query in ElasticSearch 7.11.1 that returns strange results: the join_keys value is different from the user.email that is in the results.
Here is the query:
GET /my_index/_eql/search?filter_path=hits.sequences.join_keys,hits.sequences.events._source.@timestamp,hits.sequences.events._source.user.email,hits.sequences.events._source.source.ip
{
"query": """
sequence by user.email
[ web where url.path != "/reset" ]
[ web where stringContains(url.path, "download") ]
""",
"size": 1000
}
Ok I see what I am doing wrong here, I should not use the != operator here.
What I'm trying to achieve here is to list the users for which I see downloads unless I see that they used the reset page first.
Is it possible with EQL ?
I did some more tests and there is definitely something wrong with the EQL sequence query output. I filtered on 2 users for a test and removed the negation and the results are inconsistent with the join_keys being different from the user.email.
GET /my_index/_eql/search?filter_path=hits.sequences.join_keys,hits.sequences.events._source.@timestamp,hits.sequences.events._source.user.email,hits.sequences.events._source.source.ip
{
"query": """
sequence by user.email
[ web where url.path == "/reset"]
[ web where url.path: ("*download*") ]
""",
"filter": {
"bool": {
"should": [
{
"match_phrase": {
"user.email": "user1@domain1.com"
}
},
{
"match_phrase": {
"user.email": "user2@domain2.com"
}
}
],
"minimum_should_match": 1
}
},
"size": 1000
}
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.