How to look for string '\user' using query_string

Hello everybody!. I have tried for an hour a way to look for '\user' inside of a message and I cannot make it work.

I know this can be easily done using the match_phrase command, but since I'm using ElastAlert I must use 'query_string'.

This is my query:

GET my-index/_search
{
"query": {
"query_string" : {
"query" : "(message: \u)",
"default_operator": "AND"
}
}
}

This is the error I get every time:

{
"error": {
"root_cause": [
{
"type": "parse_exception",
"reason": "parse_exception: Truncated unicode escape sequence."
}
],
"type": "search_phase_execution_exception",
"reason": "all shards failed",
"phase": "query",
"grouped": true,
"failed_shards": [
{
"shard": 0,
"index": "my-index-2018.10.04",
"node": "58KThwdwSaC1sxYV6kU3ZQ",
"reason": {
"type": "query_shard_exception",
"reason": "Failed to parse query [(message: \u)]",
"index_uuid": "d0z9xK3cR8O4XCWNmoYP7A",
"index": "winlogwmi-2018.10.04",
"caused_by": {
"type": "parse_exception",
"reason": "parse_exception: Cannot parse '(message: \u)': Truncated unicode escape sequence.",
"caused_by": {
"type": "parse_exception",
"reason": "parse_exception: Truncated unicode escape sequence."
}
}
}
}
],
"caused_by": {
"type": "parse_exception",
"reason": "parse_exception: Truncated unicode escape sequence."
}
},
"status": 400
}

I have tried the following combinations: '\u', '@\u'.

None of them work :(.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.