Searching Does not Return Results - Challenge

I have this log message in Elastic:
ExtendedProperties
[{"Name":"UserAgent","Value":"Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.13426; Pro)"} {"Name":"UserAuthenticationMethod","Value":"1"} {"Name":"RequestType","Value":"OAuth2:Token"} {"Name":"ResultStatusDetail","Value":"Success"} {"Name":"KeepMeSignedIn","Value":"false"}].

I have tried searching various ways for "OAuth2". Do you know how I can successfully search for it and get results?

Thanks,
Gary

Can you share what you have tried?

'\*.keyword:(OAuth2)'
OAuth2
"OAuth2"
"OAuth2:Token"
OAuth2:Token
(OAuth2:Token)
(OAuth2)
text:(OAuth2)
OAuth2
fuzzy:OAuth2
*.keyword:(OAuth2)
keyword:(OAuth2)
text:OAuth2

Is ExtendedProperties by any chance mapped as a nested field?

Do you know where the "path" comes from for a nested query or what query would I use to tell if there were nested fields?

Check the INDEXNAME/_mapping endpoint.

Does this help?

"ExtendedProperties" : {
"properties" : {
"*" : {
"type" : "object"
}
}

There is a bunch of these.
"ExtendedProperties" : {
"type" : "keyword",
"ignore_above" : 1024

Is there a way of knowing if it is a nested field or how to search and find this data?

It'd be useful if you posted the entire thing please. Please format your code/logs/config using the </> button, or markdown style back ticks. It helps to make things easy to read which helps us help you :slight_smile:

The post is limited to 13000 characters. The output is over 58000. I am not finding a way to attach it as a text file. Do you have any suggestions?

Use gist/pastebin/etc.

1 Like

Were you able to review the index? What started this query is that there is a detection rule that looks at OAuth2; however, I am not able to confirm that it is working.
The paste bin post will be deleted in 4 hours, but I can repost it if necessary.

Any movement on this request?
Thanks

Keeping this alive.
Thanks

Any word on being able to complete the search?

Keep alive

Keep alive

If you don't get an answer, my recommendation would be to provide a full recreation script as described in About the Elasticsearch category. It will help to better understand what you are doing. Please, try to keep the example as simple as possible.

A full reproduction script is something anyone can copy and paste in Kibana dev console, click on the run button to reproduce your use case. It will help readers to understand, reproduce and if needed fix your problem. It will also most likely help to get a faster answer.

I'm using Kibana.
I can browse in the logs and find {"Name":"RequestType","Value":"OAuth2:Token"} in the log message. I haven't found a way to search for log messages that contain "OAuth2".
Does that help?