I'm trying to create a Canvas markdown element with data from the following Elasticsearch SQL query:
SELECT Severity FROM "firewall-logs*" WHERE Severity LIKE '%critical%' AND ThreatName.keyword IS NOT NULL
My problem is, how do I get the inverse or "NOT LIKE" of the severity column (ie. that is not critical)? I tried using NOT LIKE and Canvas shows Expression failed with the message:
[essql] > Unexpected error from Elasticsearch: [sql_illegal_argument_exception] Cannot evaluate script for expression LikePattern[%critical%,]
The problem is actually the quotes you are using. In SQL, ' and " mean different things. If you are just quoting a value to handle special characters, I believe you want to use double quotes (").
I get a different error when I use double quotes, and you might too:
SELECT extension,sum(bytes) AS bytes FROM "logstash*"
WHERE extension LIKE "%jpg%"
GROUP BY extension
[essql] > Couldn't parse Elasticsearch SQL query. You may need to add double quotes to names containing special characters. Check your query and try again. Error: [parsing_exception] line 2:22: mismatched input '"%jpg%"' expecting {'?', STRING}
I'm not totally sure the sql adapter supports LIKE and NOT LIKE yet... @costin can you chime in here?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.