Hello,
I’m trying to send a webrequest with a powershell script:
{
"query":
"""
FROM packetbeat-tls
| WHERE dnsdomain.keyword == "%domain%" AND @timestamp > NOW() - 7days
| KEEP host.name.keyword, source.ip.keyword
| STATS
all = COUNT(*) WHERE NOT host.name.keyword:"%target%",
target = COUNT(*) WHERE host.name.keyword:"%target%" BY source.ip.keyword
| EVAL present = CASE(
all > 0 AND target >= 0, "OK",
all == 0 AND target > 0, "ERROR",
all == 0 AND target == 0, "WARN" )
| WHERE `present`=="ERROR"
| KEEP present, source.ip.keyword
"""
}
*%x% == Variables
The request works well with DevTools but not within powershell.
The request:
Invoke-WebRequest -Method Post -Uri "$url/_query/async?allow_partial_results=true" -Body $body -Headers $Headers -UseBasicParsing -ContentType 'application/json'
I get this error:
Invoke-WebRequest : {"error":{"root_cause":[{"type":"x_content_parse_exception","reason":"[1:13] Unexpected character ('"' (code 34)): was expecting comma to separate Object entries\n at [Source: (byte[])"{"query": """FROM…etc
How can I send powershell query for ESQL ?