Does the plugin handle wildcards?

[bossi6of9]

Hi,

I'm testing out this plugin, and it works fine as long as the queries don't use wildcards. Is this supported?

For example, this works fine:

| ess eaddr="http://1.2.3.4:9200" tsfield="@timestamp" index="nprobe-2018.07.03" latest=now earliest="now-360m" query="IPV4_DST_ADDR:5.6.7.8" fields=*

But this just spins:

| ess eaddr="http://1.2.3.4:9200" tsfield="@timestamp" index="nprobe-2018.07.03" latest=now earliest="now-360m" query="IPV4_DST_ADDR:1.2.3*" fields=*

[bossi6of9]

Hi,

Any update on this issue?

[brunotm]

Hi @bossi6of9,
I wasn't able to reproduce it with very similar parameters searching against large indices.

Can you confirm that this search works in kibana dev tools or using curl ?

GET nprobe-2018.07.03/_search
{
	"sort": [{"@timestamp": {"order": "asc"}}],
	"query": {
		"bool": {
			"must": [
				{
					"range": {
						"@timestamp": {
							"gte": "now-360m",
							"lte": "now"
						}
					}
				},
				{
					"query_string": {
						"query": "IPV4_DST_ADDR:1.2.3*"
					}
				}
			]
		}
	}
}

[bossi6of9]

Thanks for getting back to me. When I enter that in the Kibana console, I get: { "error": { "root_cause": [ { "type": "query_shard_exception", "reason": "No mapping found for [timestamp] in order to sort on", "index_uuid": "9FfQwC2aR7KoQAZEOuTBtw", "index": "netflow-2018.07.17" } ], "type": "search_phase_execution_exception", "reason": "all shards failed", "phase": "query", "grouped": true, "failed_shards": [ { "shard": 0, "index": "netflow-2018.07.17", "node": "hmTS1JVQS8-MEXeBpRUP8A", "reason": { "type": "query_shard_exception", "reason": "No mapping found for [timestamp] in order to sort on", "index_uuid": "9FfQwC2aR7KoQAZEOuTBtw", "index": "netflow-2018.07.17" } } ] }, "status": 400 } If I use discover, and use a wildcard, it works. If I try it on the splunk search bar, the job never finishes.

…

On Tue, Jul 17, 2018 at 4:38 AM, Bruno Moura ***@***.***> wrote: Hi @bossi6of9 <https://github.com/bossi6of9>, I wasn't able to reproduce it with very similar parameters searching against large indices. Can you confirm that this search works in kibana dev tools or using curl ? GET nprobe-2018.07.03/_search { "sort": [{"timestamp": {"order": "asc"}}], "query": { "bool": { "must": [ { "range": { "timestamp": { "gte": "now-360m", "lte": "now" } } }, { "query_string": { "query": "IPV4_DST_ADDR:1.2.3*" } } ] } } } — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#17 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/Aih4LR80mos8F_PwP_ToIXGFrPWG9HzVks5uHaJpgaJpZM4VD8Xz> .

[bossi6of9]

Update: I tried another search, using this: query="IPV4_DST_ADDR:1.*.*.*" and it worked. However, if I try that with query="IPV4_DST_ADDR:10.*.*.*", then it never finishes.

…

On Tue, Jul 17, 2018 at 9:12 AM, Scott Bossi ***@***.***> wrote: Thanks for getting back to me. When I enter that in the Kibana console, I get: { "error": { "root_cause": [ { "type": "query_shard_exception", "reason": "No mapping found for [timestamp] in order to sort on", "index_uuid": "9FfQwC2aR7KoQAZEOuTBtw", "index": "netflow-2018.07.17" } ], "type": "search_phase_execution_exception", "reason": "all shards failed", "phase": "query", "grouped": true, "failed_shards": [ { "shard": 0, "index": "netflow-2018.07.17", "node": "hmTS1JVQS8-MEXeBpRUP8A", "reason": { "type": "query_shard_exception", "reason": "No mapping found for [timestamp] in order to sort on", "index_uuid": "9FfQwC2aR7KoQAZEOuTBtw", "index": "netflow-2018.07.17" } } ] }, "status": 400 } If I use discover, and use a wildcard, it works. If I try it on the splunk search bar, the job never finishes. On Tue, Jul 17, 2018 at 4:38 AM, Bruno Moura ***@***.***> wrote: > Hi @bossi6of9 <https://github.com/bossi6of9>, > I wasn't able to reproduce it with very similar parameters searching > against large indices. > > Can you confirm that this search works in kibana dev tools or using curl ? > > GET nprobe-2018.07.03/_search > { > "sort": [{"timestamp": {"order": "asc"}}], > "query": { > "bool": { > "must": [ > { > "range": { > "timestamp": { > "gte": "now-360m", > "lte": "now" > } > } > }, > { > "query_string": { > "query": "IPV4_DST_ADDR:1.2.3*" > } > } > ] > } > } > } > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <#17 (comment)>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/Aih4LR80mos8F_PwP_ToIXGFrPWG9HzVks5uHaJpgaJpZM4VD8Xz> > . >

[brunotm]

Thanks for getting back to me.
When I enter that in the Kibana console, I get:

No problem!

Look at the current query, i have later edited the post to correct the definition from timestamp to @timestamp that is your current time field. This is from where the missing mapping error comes from.

GET nprobe-2018.07.03/_search
{
	"sort": [{"@timestamp": {"order": "asc"}}],
	"query": {
		"bool": {
			"must": [
				{
					"range": {
						"@timestamp": {
							"gte": "now-360m",
							"lte": "now"
						}
					}
				},
				{
					"query_string": {
						"query": "IPV4_DST_ADDR:1.2.3*"
					}
				}
			]
		}
	}
}