[resolved] API - Search query that need quotation mark in lucene

Hi all,

We are using Graylog 4.2.3 on Debian 11.1 and use the API to query search and it work just fine. My problem is that I need to do a query in lucent that need quotation mark in lucene but I can’t figure out how to do it through the API

Web UI search I try to replicate via the API
"2/2/2"
And it will output everything related to device with ID 2/2/2 but I need the quote else, lucene will ignore the slash and search every message that include 2 instead.

Via the API, my request is

curl -X "POST" "http://arecord.domain.ext:9000/api/views/search/messages" \
     -H 'X-Requested-By: myself' \
     -H 'Content-Type: application/json' \
     -H 'Accept: text/csv' \
     -u 'myuser:mypassword' \
     -d $'{
  "query_string": {
    "type": "elasticsearch",
    "query_string": "2/2/2"
  },
  "timerange": {
    "type": "relative",
    "range": 30000
  }
}'

But the output is the same as if I search 2/2/2 in the GUI without quote. I tried several way to escape the quotation mark and try to pass it up to lucene but while capturing network traffic and looking back at pcap with wireshark. On those pcap, I was only able to see 2 POST send to the API:
2/2/2
that return every message that include a 2
or
""2/2/2""
that return an error.

Here some example of query I tried

"query_string": \"2/2/2\"
"query_string": '"2/2/2"'
"query_string": '\"2/2/2\"'
"query_string": "\"2/2/2"\"
"query_string": '"\"2/2/2\""'

etc.

Anybody know how to pass “2/2/2” to lucene via api or else, can we search special character in an other way ? 2/2/2 don’t work either.

Thanks

I found this on StackOverflow that suggests escaping the forward slash and/or changing the query to be analyzed as keyword rather than token. Resulting in something similar to below…? (I am only using google-fu…this does NOT come from any prior knowledge)

 "query_string": {
    "type": "elasticsearch",
     "query_string" : {                    <---- create this block
        "query" : "2\/2\/2",
        "analyzer": "keyword"         <---- add this line
      },

Thanks @tmacgbay,

I already tried those and just tried it again. It work through the GUI but not through the API. The result is the same as “2 AND 2 AND 2” so I’m pretty sur the quote where remove again before hitting the API.

did you try double escape?

"query" : "2\\/2\\/2",

@tmacgbay, Thanks again for the reply.

Yes, I read the stackoverflow post you shared and tried it after but sadly, it still return the same result as “2 AND 2 AND 2”. What seems to be missing is the "analyzer": "keyword" but the API return me that this option is unknow.

{"type":"ApiError","message":"Unable to map property analyzer.\nKnown properties include: query_string, type"}

Awsome, I finally got the solution after looking at this post

The solution is to triple escape the double quote you want to reach lucene.

If it can help anybody, here the query:

curl -X "POST" "http://arecord.domain.ext:9000/api/views/search/messages" \
     -H 'X-Requested-By: myname' \
     -H 'Content-Type: application/json' \
     -H 'Accept: text/csv' \
     -u 'myuser:mypassword' \
     -d $'{
  "query_string": {
    "type": "elasticsearch",
    "query_string": "\\\"2/2/2\\\""
  },
  "timerange": {
    "type": "relative",
    "range": 30000
  }
}'

where
\\\"2/2/2\\\"
will be
"2/2/2"
in lucene.

1 Like

Thanks for posting your resolution to this issue. :+1:

Glad you found it, and thanks for posting for future searches!! :smiley:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.