Hello everybody!. I have tried for an hour a way to look for '\user' inside of a message and I cannot make it work.
I know this can be easily done using the match_phrase command, but since I'm using ElastAlert I must use 'query_string'.
This is my query:
GET my-index/_search
{
"query": {
"query_string" : {
"query" : "(message: \u)",
"default_operator": "AND"
}
}
}
This is the error I get every time:
{
"error": {
"root_cause": [
{
"type": "parse_exception",
"reason": "parse_exception: Truncated unicode escape sequence."
}
],
"type": "search_phase_execution_exception",
"reason": "all shards failed",
"phase": "query",
"grouped": true,
"failed_shards": [
{
"shard": 0,
"index": "my-index-2018.10.04",
"node": "58KThwdwSaC1sxYV6kU3ZQ",
"reason": {
"type": "query_shard_exception",
"reason": "Failed to parse query [(message: \u)]",
"index_uuid": "d0z9xK3cR8O4XCWNmoYP7A",
"index": "winlogwmi-2018.10.04",
"caused_by": {
"type": "parse_exception",
"reason": "parse_exception: Cannot parse '(message: \u)': Truncated unicode escape sequence.",
"caused_by": {
"type": "parse_exception",
"reason": "parse_exception: Truncated unicode escape sequence."
}
}
}
}
],
"caused_by": {
"type": "parse_exception",
"reason": "parse_exception: Truncated unicode escape sequence."
}
},
"status": 400
}