How to quote/escape esQuery when it contains quotes?

Dear all =)

I am using the Create Rule API with the Elasticsearch query action. It works perfectly until I need to query something that includes quotes. Example host:"10.250.11.11".

Ideally I would like to write it as

"esQuery": '{ "query": { "query_string": { "query": "host:"10.250.11.11" } } }'

but then Kibana fails with invalid json. If I do

"esQuery": "{ \"query\": { \"query_string\": { \"query\": \"host:\"10.250.11.11\"\" } } }"

then Kibana removes the quotes around the IP address.

Question

Does anyone know how to quote this correctly?

Below is my entire payload

Hugs
Sandra =)

{
   "params":{
      "esQuery": "_____REPLACE_THIS_____",
      "size":100,
      "timeWindowSize":"_____REPLACE_THIS_____",
      "timeWindowUnit":"s",
      "threshold":[
         "_____REPLACE_THIS_____"
      ],
      "thresholdComparator":">=",
      "index":[
         "_____REPLACE_THIS_____"
      ],
      "timeField":"@timestamp"
   },
   "consumer":"alerts",
   "schedule":{
      "interval":"_____REPLACE_THIS_____"
   },
   "tags":[

   ],
   "name":"_____REPLACE_THIS_____",
   "enabled":true,
   "throttle":null,
   "rule_type_id":".es-query",
   "notify_when":"onActiveAlert",
   "actions":[
      {
         "group":"query matched",
         "id":"_____REPLACE_THIS_____",
         "params":{
            "body":{
               _____REPLACE_THIS_____
            }
         }
      }
   ]
}

I think I understand what you're trying to achieve; I believe you need to double-escape your innermost quotation marks. For example:

"esQuery": "{ \"query\": { \"query_string\": { \"query\": \"host:\\\"10.250.11.11\\\"\" } } }"

When that esQuery string is parsed into JSON, it becomes:

{ "query": { "query_string": { "query": "host:\"10.250.11.11\"" } } }

Give that a shot and see if it works!

1 Like

Thanks a lot Joe! It did the trick =)

Hugs,
Sandra =)

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.