[resolved] API - Search query that need quotation mark in lucene

mike99 · December 14, 2021, 9:22pm

Hi all,

We are using Graylog 4.2.3 on Debian 11.1 and use the API to query search and it work just fine. My problem is that I need to do a query in lucent that need quotation mark in lucene but I can’t figure out how to do it through the API

Web UI search I try to replicate via the API
"2/2/2"
And it will output everything related to device with ID 2/2/2 but I need the quote else, lucene will ignore the slash and search every message that include 2 instead.

Via the API, my request is

curl -X "POST" "http://arecord.domain.ext:9000/api/views/search/messages" \
     -H 'X-Requested-By: myself' \
     -H 'Content-Type: application/json' \
     -H 'Accept: text/csv' \
     -u 'myuser:mypassword' \
     -d $'{
  "query_string": {
    "type": "elasticsearch",
    "query_string": "2/2/2"
  },
  "timerange": {
    "type": "relative",
    "range": 30000
  }
}'

But the output is the same as if I search 2/2/2 in the GUI without quote. I tried several way to escape the quotation mark and try to pass it up to lucene but while capturing network traffic and looking back at pcap with wireshark. On those pcap, I was only able to see 2 POST send to the API:
2/2/2
that return every message that include a 2
or
""2/2/2""
that return an error.

Here some example of query I tried

"query_string": \"2/2/2\"
"query_string": '"2/2/2"'
"query_string": '\"2/2/2\"'
"query_string": "\"2/2/2"\"
"query_string": '"\"2/2/2\""'

etc.

Anybody know how to pass “2/2/2” to lucene via api or else, can we search special character in an other way ? 2/2/2 don’t work either.

Thanks

tmacgbay · December 14, 2021, 10:35pm

I found this on StackOverflow that suggests escaping the forward slash and/or changing the query to be analyzed as keyword rather than token. Resulting in something similar to below…? (I am only using google-fu…this does NOT come from any prior knowledge)

 "query_string": {
    "type": "elasticsearch",
     "query_string" : {                    <---- create this block
        "query" : "2\/2\/2",
        "analyzer": "keyword"         <---- add this line
      },

mike99 · December 14, 2021, 10:48pm

Thanks @tmacgbay,

I already tried those and just tried it again. It work through the GUI but not through the API. The result is the same as “2 AND 2 AND 2” so I’m pretty sur the quote where remove again before hitting the API.

tmacgbay · December 15, 2021, 1:16am

did you try double escape?

"query" : "2\\/2\\/2",

mike99 · December 15, 2021, 2:01am

@tmacgbay, Thanks again for the reply.

Yes, I read the stackoverflow post you shared and tried it after but sadly, it still return the same result as “2 AND 2 AND 2”. What seems to be missing is the "analyzer": "keyword" but the API return me that this option is unknow.

{"type":"ApiError","message":"Unable to map property analyzer.\nKnown properties include: query_string, type"}

mike99 · December 15, 2021, 2:22am

Awsome, I finally got the solution after looking at this post

The solution is to triple escape the double quote you want to reach lucene.

If it can help anybody, here the query:

curl -X "POST" "http://arecord.domain.ext:9000/api/views/search/messages" \
     -H 'X-Requested-By: myname' \
     -H 'Content-Type: application/json' \
     -H 'Accept: text/csv' \
     -u 'myuser:mypassword' \
     -d $'{
  "query_string": {
    "type": "elasticsearch",
    "query_string": "\\\"2/2/2\\\""
  },
  "timerange": {
    "type": "relative",
    "range": 30000
  }
}'

where
\\\"2/2/2\\\"
will be
"2/2/2"
in lucene.

gsmith · December 15, 2021, 2:36am

Thanks for posting your resolution to this issue.

tmacgbay · December 15, 2021, 3:54pm

Glad you found it, and thanks for posting for future searches!!

system · December 29, 2021, 3:54pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.