Timelion is rejecting query string that works in dev tools

I am able to get search results using the following query string.

GET metricbeat-system-2019.07.16/_search?q=host.name:elklogstash02.mydc+event.dataset:system.network

However, when I use the same in Timelion, it fails.

.es(q=host.name:elklogstash02.mydc+event.dataset:system.network, index=metricbeat-system*)

Timelion uses the query string format. So, I expected that the query string would work.

I get the following error in Kibana.

Timelion: Error: in cell #1: [parse_exception] parse_exception: Encountered " ":" ": "" at line 1, column 58. Was expecting one of: <EOF> <AND> ... <OR> ... <NOT> ... "+" ... "-" ... <BAREOPER> ... "(" ... " *" ... "^" ... <QUOTED> ... <TERM> ... <FUZZY_SLOP> ... <PREFIXTERM> ... <WILDTERM> ... <REGEXPTERM> ... "[" ... "{" ... <NUMBER> ... (and) [parse_exception] parse_exception: Encountered " ":" ": "" at line 1, column 58. Was expecting one of: <EOF> <AND> ... <OR> ... <NOT> ... "+" ... "-" ... <BAREOPER> ... "(" ... "* " ... "^" ... <QUOTED> ... <TERM> ... <FUZZY_SLOP> ... <PREFIXTERM> ... <WILDTERM> ... <REGEXPTERM> ... "[" ... "{" ... <NUMBER> ... (and) [parse_exception] parse_exception: Encountered " ":" ": "" at line 1, column 58. Was expecting one of: <EOF> <AND> ... <OR> ... <NOT> ... "+" ... "-" ... <BAREOPER> ... "(" ... " *" ... "^" ... <QUOTED> ... <TERM> ... <FUZZY_SLOP> ... <PREFIXTERM> ... <WILDTERM> ... <REGEXPTERM> ... "[" ... "{" ... <NUMBER> ... (and) [parse_exception] parse_exception: Encountered " ":" ": "" at line 1, column 58. Was expecting one of: <EOF> <AND> ... <OR> ... <NOT> ... "+" ... "-" ... <BAREOPER> ... "(" ... "* " ... "^" ... <QUOTED> ... <TERM> ... <FUZZY_SLOP> ... <PREFIXTERM> ... <WILDTERM> ... <REGEXPTERM> ... "[" ... "{" ... <NUMBER> ... (and) [parse_exception] parse_exception: Encountered " ":" ": "" at line 1, column 58. Was expecting one of: <EOF> <AND> ... <OR> ... <NOT> ... "+" ... "-" ... <BAREOPER> ... "(" ... "*" ... "^" ... <QUOTED> ... <TERM> ... <FUZZY_SLOP> ... <PREFIXTERM> ... <WILDTERM> ... <REGEXPTERM> ... "[" ... "{" ... <NUMBER> .

Am I missing something?

I guess your query string is missing something. The documentation provides a list of reserved characters, which includes / I think between copy/pasting in this thread a bunch of the single quotes have been replaced with double-quotes and smart-quotes. When you're trying it I think you should be using single quotes everywhere. Let me know if that fixes it.

Another thought is to break down you expression so that you can test each part. For example, the .es() block inside the index=metricbeat-system* does that work by itself?

.Query string query | Elasticsearch Guide [8.11] | Elastic

Yes, .es(index=metricbeat-system*) works fine.

.es(q='host.name:elklogstash02.mydc', index=metricbeat-system*) does not work.

However, .es(q=host.name:elklogstash02.mydc, index=metricbeat-system*) works fine. So, the question that remains to be answered is how do I include the + in the Timelion query so that the second clause is also added.

The error message is seen in the attachment.

Could you try it with these single and double quotes in your query?

.es(q='host.name:"elklogstash02.mydc+event.dataset:system.network"', index=metricbeat-system*)

there's single quotes around the whole query string; q=' '

and there's double quotes around the actual search value "elklogstash02.mydc+event.dataset:system.network"

.es(q='host.name:"elklogstash02.mydc"+event.dataset:"system.network"', index=metricbeat-system*) worked. Thanks @LeeDr

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.