Timelion 7.10 Error : Syntax Error


Recently upgraded ELK to try v7.10.

I am getting an error in Timelion:

Timelion request error: undefined SyntaxError: {"type":"incompleteFunction","function":"es","location":{"min":0,"max":3},"text":".es"}

Timelion error

This query was working fine from ELK v6.x up to v7.9.2

After some research I found out an article that explains what the issue might be: kibana timelion in 7.10.0: command parser does not support single quotes ' anymore. #83296

I have replaced all single quotes in my query, but I keep getting the same error.

Original query:

.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)').label("Original"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)',offset=-1w).label("One week offset"),.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)').subtract(.es(index='logstash-vulnwhisperer-*',q='(risk_score:>=9 AND risk_score:<=10)',offset=-1w)).label("Difference").lines(steps=3,fill=2,width=1)

Fixed query:

.es(index="logstash-vulnwhisperer-*"q="(risk_score:>=9 AND risk_score:<=10)").label("Original"),.es(index="logstash-vulnwhisperer-*",q="(risk_score:>=9 AND risk_score:<=10)",offset=-1w).label("One week offset"),.es(index="logstash-vulnwhisperer-*",q="(risk_score:>=9 AND risk_score:<=10)").subtract(.es(index="logstash-vulnwhisperer-*",q="(risk_score:>=9 AND risk_score:<=10)",offset=-1w)).label("Difference").lines(steps=3,fill=2,width=1)

Am I missing something else?
Can you please help me with this error?

Thank you in advance

It looks like the parsing got stricter, so you'd have to check the whole expression. It looks like you might be missing a comma in the "fixed" query? Also, what happens if you put the -1w offset in quotes?

Hi @wylie,

Thank you for confirming the internal change for the new parser in Timelion

and for pointing out a possible misspelling in the query. In fact there was a character missing. Got all Timelion queries fixed and working.

Fix: Replace all single quotes ' by double quotes " in the Timelion queries.

Thank you

1 Like

Thanks @ManuelF and @wylie
It worked for us by Replace all single quotes ' by double quotes " in the Timelion queries.
But facing the problem, how to replace single quote in below scripts where both quotes are present.

..es(split='host.keyword:10',q='messageType.keyword:watchdog AND drupal_action.keyword : "CV submission" and url:"*job-apply*" AND tags.keyword :"web"')

We are planning to release a bug fix for this in the next patch release and next minor, so hopefully 7.10.1 and 7.11: https://github.com/elastic/kibana/pull/84196

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.