Error when using NOT in query field.

[ceeeekay]

Hi,

I'm trying to use the following query:

type:authlog AND failure:* NOT ssh_interface:public

Results in the error Error: Catch all: Expected ":" or [a-zA-Z0-9._] but " " found.

Is this supposed to work with plain Lucene query syntax, or am I making horrible assumptions about ESquery?

Thanks :)

[kiwiz]

Hey there! ESQuery doesn't support NOT atm, because afaik it's equivalent to a:b AND -a:c. I can add support for NOT if people start asking for it.

In the case of your particular query, I think you can do type:authlog _exists_:failure -ssh_interface:public (since AND is the default).

[ceeeekay]

Thanks for the tip.

The search now tests fine with your query, but I'm still getting an angry red error Error: Catch all: Expected ":" or [a-zA-Z0-9._] but " " found. at the top of the search details page, and the main search page claims it's failing. I also got an email reporting it's recovered, so I'm not sure what to think.

[edit] this seems to have cleared up once I enabled the search.

I do wonder if you're going to support Lucene queries whether we can't have full support for basic query structure (including NOT). As we're collecting and indexing all the logs, there's a lot of junk in the ES indexes that I'd like to exclude. Using the same syntax as we have in Kibana makes it easy for users to create alerts based on the dashboards they're used to using.

Loving 411 so far though.

Cheers.

[kiwiz]

Ah, that error message shows the status of the last execution of that Search (which was a syntax error).

Wrt. to NOT, fair enough. I've opened #20 to keep track of these issues and I'll fix them as they come up. Lemme know if you see any other inconsistencies and thanks for the feedback. :]

[ceeeekay]

Awesome - thanks!

[kiwiz]

Fixed in aeb144b.

[ceeeekay]

Hi again,

The fix seems to work (it's generating emails and showing OK on the search list), however hitting 'Test' on the search detail page generates the same error.

Never mind. I did a bad thing. ;)