but Kibana/Elastic doesn't unescape \", so the search it preforms is actually
host: \" 10 250 11 11 \"
Notice that searches for \". Where it should have been
host:"10.250.11.11"
If I had to guess, then the problem is that it isn't possible for Kibana/Elastic to convert "query": "host:\"10.250.11.11\"" into "query": "host:"10.250.11.11"" as that would be invalid JSON. Hence is it impossible to create rules over the API with searches that contain ".
JSON requires double-quotes around string values and keys. And in a JSON string, you can embed a double quote character by using "backslash double-quote" - \" (hoping that renders as the backslash character followed by the double quote character!)
So your first attempt seems closest. I think this is the value you want.
Triple quotes are largely a Kibana Dev Console thing, and aren't generally accepted in Kibana HTTP APIs, since they are not valid JSON - they're an extension of JSON.
then Kibana/Elastic treats the search as host:\"102501111\".
If I had to guess then the problem lies in Escaping_Special_Characters ie \" will never be unescaped, as Lucene sees \" as it should search for " and not for denoting start/end of a string?
I suppose the problem is that " can mean two different things. Eg.
host:" text with a " inside "
^ ^
| +-- char to search for
+-- start of string
or
host:" text with a " inside "
^ ^
| +-- start of string
+-- char to search for
and Lucene have no way to tell which is which and therefore treats all escaped chars a chars to search for.
A since JSON requires double quotes, all other inner double quotes have to be escaped, and hence Lucene sees them as chars to search for.
I tried several different ways of escaping a double quote in a search running from Dev Tools. And of course it might have it's own quoting issues. No luck when trying to include the quote in the query.
I did have some luck using a regexp though, and using . (wildcard) instead of the quote. For instance:
GET .kibana/_search
{
"query": {
"query_string": {
"query": "/.*double quote . in the name.*/"
}
}
}
It found a document where a field had the text double quote " in the name. This query isn't great, since it uses regexp, searches default fields, and uses .* - I wasn't able to figure out how to give it a specific field name and still work, which should make it faster.
So I think we first need to figure out the query DSL for the query you want, not within alerting - either from Dev Console or via curl, using the _search API. Once we have that, hopefully we can figure out how to encode that in JSON so it gets passed along the way correctly.
Sorry, I was not clear. I want to see a plain old Elasticsearch search, via curl or Dev Console, that performs the search you want to embed in the rule. Nothing to do with the rule
Once we have that, I can see if we can figure out how to embed that inside the rule params.
I think what you pasted was your current attempt at trying to build the rule? Which doesn't work?
Another thought is this - especially since I will be mostly offline soon until Monday - once you have that query, you should be able to paste it into the Kibana "create alert" UI for the Elasticsearch query rule. Assuming the rule then works the way you want, you could use curl to get the rule data back out, to figure out how it was formatted. Get API here: Get rule API | Kibana Guide [master] | Elastic - there's also a Find API you can use, if you don't know the rule's ID which is required for the Get API - actually, you can just use the Find API unless you have lots of rules - it also returns the JSON definition of the rules.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.