Case search from dashboard clic "invalid filters error"

[cyberpescadito]

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Ubuntu
OS version (client)	Seven
TheHive version / git hash	3.1.2-1
Package Type	DEB
Browser type & version	Chrome Version 64.0.3282.119

Problem Description

In dashboards, when clicking on a part of a donut, it should show me the list of the cases involved in the clicked part of the donut.
It works well with some dashboards, but also have some bugs for others. i'm trying to correlates clue to know what is the exact scenario for producing the bug. having more than 4 filters in the donut appear to be a first scenario
So, when clicking on the donut, the search page open, with an error "invalid filters error". criteria seems to be well imported on the search. Doing the search manually with the same criteria works fine.

Steps to Reproduce

1 - create a dashboard with a donut that have some filters (let's say 4/5 minimum)
2 - clic on one part of the donut
3 - the search page provide an error "invalid filters error" and empty case list

[nadouani]

Can you get the search api call and it's json post data? This will show the content of the query

[cyberpescadito]

Can you get the search api call and it's json post data? This will show the content of the query

I randomized the API call concerning values; I can provide the authentic one in MP if needed.

--data-binary '{"query":{"_and":[{"_and":[{"_string":"customFields.TLA.string:"tla""},{"_and":[{"_field":"customFields.caseSource.string","_value":"Src"},{"_field":"customFields.Region.string","_value":"WORLD"},{"_field":"customFields.category.string","_value":"Category"},{"_field":"customFields.Asset.string","_value":"Asset"},{"_between":{"_field":"startDate","_from":1514674800000,"_to":1546297199999}},{"_not":{"_field":"customFields.statusDetails.string","_value":"Cancelled"}}]}]},{"_and":[{"_not":{"status":"Deleted"}},{"_not":{"_in":{"_field":"_type","_values":["dashboard","data","user","analyzer","caseTemplate"]}}}]}]}}' --compressed

additionally, this appear only when i clic on "search" in the search page. when i'm clicking the donut, theres no API call

[nadouani]

I think this breaks the query:

{"_string":"customFields.TLA.string:"tla""}

You are certainly searching for "tla", can you search for \"tla\" or tla

[cyberpescadito]

Tried both (from the webui page where i got the error, modified criterias then capturing the call via developer tools when clic on "search" button), no case list appear:

--data-binary '{"query":{"_and":[{"_and":[{"_string":"customFields.TLA.string:TLA"},{"_and":[{"_field":"customFields.caseSource.string","_value":"src"},{"_field":"customFields.Region.string","_value":"region"},{"_between":{"_field":"startDate","_from":1514674800000,"_to":1546297199999}},{"_field":"customFields.Asset.string","_value":"asset"},{"_or":[{"_field":"customFields.category.string","_value":"category"},{"_field":"customFields.category.string","_value":"category"}]},{"_not":{"_field":"customFields.statusDetails.string","_value":"Cancelled"}}]}]},{"_and":[{"_not":{"status":"Deleted"}},{"_not":{"_in":{"_field":"_type","_values":["dashboard","data","user","analyzer","caseTemplate"]}}}]}]}}' --compressed

--data-binary '{"query":{"_and":[{"_and":[{"_string":"customFields.TLA.string:\"tla\""},{"_and":[{"_field":"customFields.caseSource.string","_value":"src"},{"_field":"customFields.Region.string","_value":"world"},{"_between":{"_field":"startDate","_from":1514674800000,"_to":1546297199999}},{"_field":"customFields.Asset.string","_value":"asset"},{"_or":[{"_field":"customFields.category.string","_value":"category"},{"_field":"customFields.category.string","_value":"category"}]},{"_not":{"_field":"customFields.statusDetails.string","_value":"Cancelled"}}]}]},{"_and":[{"_not":{"status":"Deleted"}},{"_not":{"_in":{"_field":"_type","_values":["dashboard","data","user","analyzer","caseTemplate"]}}}]}]}}' --compressed

[jojoob]

{"_string":"customFields.TLA.string:TLA"}

This looks weird to me. Is that supposed to be a search for "TLA" within the custom field named also "TLA"?

[cyberpescadito]

anonymized data :-)

[jojoob]

Of course. I didn't meant the same string. I just want to be sure this is what was intended. Because shouldn't it then be: {"customFields.TLA.string": "TLA"} or {"_field": "customFields.TLA.string", "_value": "TLA"}?

[nadouani]

Of course. I didn't meant the same string. I just want to be sure this is what was intended. Because shouldn't it then be: {"customFields.TLA.string": "TLA"} or {"_field": "customFields.TLA.string", "_value": "TLA"}?

Yes, but when the search page is opened from a click on a dashboard, the clickable item is not able to build the search criteria as you described above. Well this is a technical issue I need to address ;)

[nadouani]

I've found a solution for this one, it will be release within 3.1.3

[cyberpescadito]

Thanks Nabil :)