How to quote/escape esQuery when it contains quotes?

Dear all =)

I am using the Create Rule API with the Elasticsearch query action. It works perfectly until I need to query something that includes quotes. Example host:"".

Ideally I would like to write it as

"esQuery": '{ "query": { "query_string": { "query": "host:"" } } }'

but then Kibana fails with invalid json. If I do

"esQuery": "{ \"query\": { \"query_string\": { \"query\": \"host:\"\"\" } } }"

then Kibana removes the quotes around the IP address.


Does anyone know how to quote this correctly?

Below is my entire payload

Sandra =)

      "esQuery": "_____REPLACE_THIS_____",

         "group":"query matched",

I think I understand what you're trying to achieve; I believe you need to double-escape your innermost quotation marks. For example:

"esQuery": "{ \"query\": { \"query_string\": { \"query\": \"host:\\\"\\\"\" } } }"

When that esQuery string is parsed into JSON, it becomes:

{ "query": { "query_string": { "query": "host:\"\"" } } }

Give that a shot and see if it works!

1 Like

Thanks a lot Joe! It did the trick =)

Sandra =)

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.