Hey there, im new to this elk world and im currently working on a threat hunting project with ELK/Zeek. My problem is, that i want for example to query for DNS.Length > 75 within zeek data. I know that its easy to do in splunk, but how to do it with KQL ? I cant find this variable there with lengt…

Painless is painfull :slight_smile: try this { "script": { "script": { "lang": "painless", "source": "if (doc['zeek.dns.query'].size() == 0) { return false;} else {return doc['zeek.dns.query'].value.length() > 5;}" } } }

I don't believe you can do this in KQL, maybe Lucene. But here is how you can make a query to do this but it might not solve your issue depending on what you want to do with it after. GET index-name/_search { "query": { "bool": { "filter": { "script": { "script": { …

Thanks for the fast response, i thought KQL is based on Lucene? So is lucene "the standard"? So for this script i need to change to lucene and just put it in there ? I cant see multiple lines there, just one for "Search". So i changed from splunk to elk bc i thought it would be easier for my proj…

You can change between KQL and Lucence by turning off KQL as seen below. [image] For that type of query you do that in Dev Tools. That is where you can run all your custom queries. So go to Dev Tools and paste in that query and run it.

You can add a custom DSL query as a filter [image]

Thanks for responses, so i change KQL to Lucene and then put: {"script":{"source":doc['ifName'].value.length() > 75","lang":"painless"}} or the script from aaron-nimocks there, or just put it to dev tools ? Do i need to change the ['DNS'] to ['zeek.dns.query'] then ? im getting the following err…

From Kibana UI : Go to discover app and add anew filter [image] Click on "Edit as Query DSL" [image] Past the custom DSL query { "script": { "script": { "source": "doc['zeek.dns.query'].value.length() > 75", "lang": "painless" } } } …

You can also create a new scripted field and use it as normal field [image] Scripted fields | Kibana Guide [7.10] | Elastic

aah thank you! But now i get: Error executing Painless script: 'doc['zeek.dns.query'].value.length() > 5'. org.elasticsearch.index.fielddata.ScriptDocValues$Strings.get(ScriptDocValues.java:494) org.elasticsearch.index.fielddata.ScriptDocValues$Strings.getValue(ScriptDocValues.java:508) doc['zeek…

OK i see, we need to check if field exist, try this :slight_smile: { "script": { "script": { "lang": "painless", "source": "if (!doc.containsKey('zeek.dns.query')) { return false;} else {return doc['zeek.dns.query'].value.length() > 5;}" } } }

[grafik] if i check zeek.dns.query i see values at least, so it shouldnt be empty

How to Query for length with elasticsearch (KQL)

Elastic Stack Elasticsearch

ylasri (Yassine LASRI) December 29, 2020, 5:48pm 7

From Kibana UI :

Go to discover app and add anew filter

Click on "Edit as Query DSL"

Past the custom DSL query

{
    "script": {
          "script": {
            "source": "doc['zeek.dns.query'].value.length() > 75",
            "lang": "painless"
          }
        }
}

Click on save

1 Like

Topic		Replies	Views
KIBANA : String Length based Filter to my documents Kibana	7	5156	August 29, 2020
Getting documents based on field length Elasticsearch	5	609	March 13, 2019
Filter field by length Elasticsearch	5	6293	May 18, 2018
Using the LENGTH string function to limit search Elasticsearch	5	9397	February 7, 2020
How to filter docs by text field length? Elasticsearch	2	9561	August 31, 2020

How to Query for length with elasticsearch (KQL)

Related topics