Timelion 7.10 Error : Syntax Error

ManuelF · November 19, 2020, 4:21pm

Hi,

Recently upgraded ELK to try v7.10.

I am getting an error in Timelion:

Timelion request error: undefined SyntaxError: {"type":"incompleteFunction","function":"es","location":{"min":0,"max":3},"text":".es"}

Timelion error

This query was working fine from ELK v6.x up to v7.9.2

After some research I found out an article that explains what the issue might be: kibana timelion in 7.10.0: command parser does not support single quotes ' anymore. #83296

I have replaced all single quotes in my query, but I keep getting the same error.

Original query:

.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)').label("Original"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)',offset=-1w).label("One week offset"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)').subtract(.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)',offset=-1w)).label("Difference").lines(steps=3,fill=2,width=1)

Fixed query:

.es(index="logstash-vulnwhisperer-*"q="(risk_score:>=9 AND risk_score:<=10)").label("Original"),.es(index="logstash-vulnwhisperer-*",q="(risk_score:>=9 AND risk_score:<=10)",offset=-1w).label("One week offset"),.es(index="logstash-vulnwhisperer-*",q="(risk_score:>=9 AND risk_score:<=10)").subtract(.es(index="logstash-vulnwhisperer-*",q="(risk_score:>=9 AND risk_score:<=10)",offset=-1w)).label("Difference").lines(steps=3,fill=2,width=1)

Am I missing something else?
Can you please help me with this error?

Thank you in advance

wylie · November 19, 2020, 6:25pm

It looks like the parsing got stricter, so you'd have to check the whole expression. It looks like you might be missing a comma in the "fixed" query? Also, what happens if you put the -1w offset in quotes?

ManuelF · November 19, 2020, 7:52pm

Hi @wylie,

Thank you for confirming the internal change for the new parser in Timelion

and for pointing out a possible misspelling in the query. In fact there was a character missing. Got all Timelion queries fixed and working.

Fix: Replace all single quotes ' by double quotes " in the Timelion queries.

Thank you

braham · November 25, 2020, 10:53am

Thanks @ManuelF and @wylie
It worked for us by Replace all single quotes ' by double quotes " in the Timelion queries.
But facing the problem, how to replace single quote in below scripts where both quotes are present.

..es(split='host.keyword:10',q='messageType.keyword:watchdog AND drupal_action.keyword : "CV submission" and url:"*job-apply*" AND tags.keyword :"web"')

wylie · November 25, 2020, 3:31pm

We are planning to release a bug fix for this in the next patch release and next minor, so hopefully 7.10.1 and 7.11: https://github.com/elastic/kibana/pull/84196

system · December 23, 2020, 3:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Timelion in 7.10.0 does not work with single quotations anymore Kibana timelion	3	388	December 10, 2020
Timelion Kibana Error : Syntax Error / Incomplete function Kibana timelion	3	1971	August 14, 2018
Timelion of kibana error : incomplete function Kibana timelion	5	2514	September 15, 2017
Solved: Timelion OR query Kibana timelion	3	3336	August 29, 2017
Cannot get commands in timelion to work Kibana timelion	2	1122	June 23, 2017

Timelion 7.10 Error : Syntax Error

Related topics