Kibana query of reserved characters

perry29 · February 26, 2018, 9:52pm

I am using the Kibana 'filter builder' to create a search like 'uri is x'. The uri field (from Bro http logs) contains this: /auth/spGo.php?assetid=home&supportid=

When I set 'x' to one of these, the search works and finds what I expect (note lack of escaping):
/auth/spGo.php?assetid=home&supportid
/auth/spGo.php?assetid
spGo.php?assetid

When I set 'x' to one of these, the search does NOT work and finds nothing:
/auth/spGo.php?assetid=home&supporti
/auth/spGo.php?asseti
php?assetid

I would like to do search for ?, but using \? does not work either.

Bug? Newbie error? Any solutions?

Thanks,
David

tylersmalley · February 27, 2018, 11:12pm

What is filter builder referring to?

perry29 · February 27, 2018, 11:41pm

Sorry, by filter builder, I mean the "Add a filter +" just below the search box at the top of the "Discover" menu. I am sure there is an official name for this, but I do not know what it is. I have been looking at ELK for about a week and a half, so I have a lot to learn.

perry29 · March 12, 2018, 10:16pm

What is the process to raise this as a possible bug?

perry29 · March 13, 2018, 5:27pm

Kibana version 6.2.2

system · April 10, 2018, 5:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.