Translating a simple Splunk query resulted into 200 lines of Elasticsearch DSL - is there a better way?

Hi,

I am translating a simple Splunk query. I have been working on populating fields for our Web logs, with Logstash and FluentD. So far that is all cool. We have a field named http.url for all used http URLs.

For security relevant infos we have a Splunk search:

"script>" OR "UNION ALL SELECT" OR "UNION%20ALL%20SELECT" OR " ORDER BY 1" OR "SELECT PG_SLEEP(" OR "SELECT%20PG_SLEEP(" OR "AND SLEEP(5) AND"

This got pretty long over time, and this is a part of it.

Now I got it into DSL:

{
  "query": {
    "bool": {
      "should": [
        {
          "term": {
            "http.url": "script>"
          }
        },
        {
          "term": {
            "http.url": "UNION ALL SELECT"
          }
        },
        {
          "term": {
            "http.url": "SELECT PG_SLEEP("
          }
        },
        {
          "term": {
            "http.url": "SELECT%20PG_SLEEP("
          }
        },
                {
          "term": {
            "http.url": "AND SLEEP(5) AND"
          }
        }
      ]
    }
  }
}

This isn't satisfying at all. This is too long and too complex for every day use for me. I don't know how to add a time frame to it. Like 1h, one day...

  • Is there any sort of plugin for Elasticsearch or Kibana which makes this easier? I'd like to be able to narrow down the ranges and to automate this query with an hourly job.

  • The documentation on how to add a timeframe range to such a query isn't helpful for me. We are using the standard Logstash format, but somehow I get the feeling that range queries are used to set value thresholds.

Best,
Marius

Have a look at the Query String query:

https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html#query-string-syntax

That gives you a similar look and feel to the provided example query (and also shows syntax for date ranges).

I don't see how this is any different to be honest.