Search for the "?" character in a field

Vulco_Viljoen · December 17, 2019, 11:02am

Hello there,

I have been trying to do a search for patterns such as "id.php?u=https". In this case, I want to find "?u". The emphasis on finding the actual question mark character.

I have tried regex, term, and query_string with no luck. I keep getting a
json_parse_exception
Unexpected character ('?' (code 63)): was expecting comma to separate OBJECT entries\n at [Source: [B@480f43aa; line: 6, column: 32]

In a perfect world, it would have been awesome to have a Perl regex plugin for Elasticsearch.

Any advice would be appreciated.

dadoonet · December 17, 2019, 11:52am

Why would you need a plugin when you have this? https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-regexp-query.html

Vulco_Viljoen · December 17, 2019, 1:10pm

As stated it would have been great to use Perl regex instead of Lucene, but alas that is possible.

All I want to accomplish is to search for the "?" character within a string/field, without it interpreting it.

    {
    "query": {
        "regexp": {
            "message": {
                "value": "php\?u\=https"
        }
    }
}

  "shard": 0,
    "index": "graylog_1877",
    "node": "3oAbEoXMSZ2Q91_ZPfq13w",
    "reason": {
      "type": "query_parsing_exception",
      "reason": "Failed to parse",
      "index": "graylog_1877",
      "caused_by": {
        "type": "json_parse_exception",
        "reason": "Unrecognized character escape '?' (code 63)\n at [Source: [B@7643f010; line: 6, column: 32]"

system · January 14, 2020, 1:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.