Open bossi6of9 opened 6 years ago
Hi,
Any update on this issue?
Hi @bossi6of9, I wasn't able to reproduce it with very similar parameters searching against large indices.
Can you confirm that this search works in kibana dev tools or using curl ?
GET nprobe-2018.07.03/_search
{
"sort": [{"@timestamp": {"order": "asc"}}],
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-360m",
"lte": "now"
}
}
},
{
"query_string": {
"query": "IPV4_DST_ADDR:1.2.3*"
}
}
]
}
}
}
Thanks for getting back to me.
When I enter that in the Kibana console, I get:
{ "error": { "root_cause": [ { "type": "query_shard_exception", "reason": "No mapping found for [timestamp] in order to sort on", "index_uuid": "9FfQwC2aR7KoQAZEOuTBtw", "index": "netflow-2018.07.17" } ], "type": "search_phase_execution_exception", "reason": "all shards failed", "phase": "query", "grouped": true, "failed_shards": [ { "shard": 0, "index": "netflow-2018.07.17", "node": "hmTS1JVQS8-MEXeBpRUP8A", "reason": { "type": "query_shard_exception", "reason": "No mapping found for [timestamp] in order to sort on", "index_uuid": "9FfQwC2aR7KoQAZEOuTBtw", "index": "netflow-2018.07.17" } } ] }, "status": 400 }
If I use discover, and use a wildcard, it works. If I try it on the splunk search bar, the job never finishes.
On Tue, Jul 17, 2018 at 4:38 AM, Bruno Moura notifications@github.com wrote:
Hi @bossi6of9 https://github.com/bossi6of9, I wasn't able to reproduce it with very similar parameters searching against large indices.
Can you confirm that this search works in kibana dev tools or using curl ?
GET nprobe-2018.07.03/_search { "sort": [{"timestamp": {"order": "asc"}}], "query": { "bool": { "must": [ { "range": { "timestamp": { "gte": "now-360m", "lte": "now" } } }, { "query_string": { "query": "IPV4_DST_ADDR:1.2.3*" } } ] } } }
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/brunotm/elasticsplunk/issues/17#issuecomment-405505159, or mute the thread https://github.com/notifications/unsubscribe-auth/Aih4LR80mos8F_PwP_ToIXGFrPWG9HzVks5uHaJpgaJpZM4VD8Xz .
Update:
I tried another search, using this: query="IPV4_DST_ADDR:1..." and it worked. However, if I try that with query="IPV4_DST_ADDR:10...", then it never finishes.
On Tue, Jul 17, 2018 at 9:12 AM, Scott Bossi bossi6of9@gmail.com wrote:
Thanks for getting back to me.
When I enter that in the Kibana console, I get:
{ "error": { "root_cause": [ { "type": "query_shard_exception", "reason": "No mapping found for [timestamp] in order to sort on", "index_uuid": "9FfQwC2aR7KoQAZEOuTBtw", "index": "netflow-2018.07.17" } ], "type": "search_phase_execution_exception", "reason": "all shards failed", "phase": "query", "grouped": true, "failed_shards": [ { "shard": 0, "index": "netflow-2018.07.17", "node": "hmTS1JVQS8-MEXeBpRUP8A", "reason": { "type": "query_shard_exception", "reason": "No mapping found for [timestamp] in order to sort on", "index_uuid": "9FfQwC2aR7KoQAZEOuTBtw", "index": "netflow-2018.07.17" } } ] }, "status": 400 }
If I use discover, and use a wildcard, it works. If I try it on the splunk search bar, the job never finishes.
On Tue, Jul 17, 2018 at 4:38 AM, Bruno Moura notifications@github.com wrote:
Hi @bossi6of9 https://github.com/bossi6of9, I wasn't able to reproduce it with very similar parameters searching against large indices.
Can you confirm that this search works in kibana dev tools or using curl ?
GET nprobe-2018.07.03/_search { "sort": [{"timestamp": {"order": "asc"}}], "query": { "bool": { "must": [ { "range": { "timestamp": { "gte": "now-360m", "lte": "now" } } }, { "query_string": { "query": "IPV4_DST_ADDR:1.2.3*" } } ] } } }
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/brunotm/elasticsplunk/issues/17#issuecomment-405505159, or mute the thread https://github.com/notifications/unsubscribe-auth/Aih4LR80mos8F_PwP_ToIXGFrPWG9HzVks5uHaJpgaJpZM4VD8Xz .
Thanks for getting back to me. When I enter that in the Kibana console, I get:
No problem!
Look at the current query, i have later edited the post to correct the definition from timestamp
to @timestamp
that is your current time field. This is from where the missing mapping error comes from.
GET nprobe-2018.07.03/_search
{
"sort": [{"@timestamp": {"order": "asc"}}],
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-360m",
"lte": "now"
}
}
},
{
"query_string": {
"query": "IPV4_DST_ADDR:1.2.3*"
}
}
]
}
}
}
Hi,
I'm testing out this plugin, and it works fine as long as the queries don't use wildcards. Is this supported?
For example, this works fine:
| ess eaddr="http://1.2.3.4:9200" tsfield="@timestamp" index="nprobe-2018.07.03" latest=now earliest="now-360m" query="IPV4_DST_ADDR:5.6.7.8" fields=*
But this just spins:
| ess eaddr="http://1.2.3.4:9200" tsfield="@timestamp" index="nprobe-2018.07.03" latest=now earliest="now-360m" query="IPV4_DST_ADDR:1.2.3" fields=