Choose a source dialog box returns unexpected results when searching data views with colon

[eedugon]

Kibana version: 8.13.2

When searching in the "choose a source" dialog box for data views with colon (:) in their names, the search results are unexpected. The workaround consists of using double quotes.

Colons in data views names are very common when using Cross Cluster Search (CCS).

Steps to reproduce:

0. Ensure that you have in your system a data view pointing to a remote cluster (in my lab it's called remote:test-index).
1. Open Visualizations Library
2. Click on Create New Visualization
3. Select Aggregations based --> Vertical bar
4. In the "Choose a source" dialog type the data view you want to search, which includes a colon : character. You will see that after typing one letter after the colon the search results don't make sense.

Example: Stage 0, nothing written in search box, all looks ok:

We want to search for that remote:test-index pattern.... so if we write remote or remote: all works fine:

But as soon as we add one extra letter remote:t then the search results get broken (everything is returned apparently):

^^ The previous results are unexpected, maybe because the search term is divided in tokens?

Workaround Using double quotes the problem disappears:

[elasticmachine]

Pinging @elastic/appex-sharedux (Team:SharedUX)

[tsullivan]

I have reproduced this problem in the global search bar as well.

I added a console.log statement here:

diff --git x-pack/plugins/saved_objects_tagging/public/ui_api/parse_search_query.ts x-pack/plugins/saved_objects_tagging/public/ui_api/parse_search_query.ts
index 625c7709417..80ab5152ed3 100644
--- x-pack/plugins/saved_objects_tagging/public/ui_api/parse_search_query.ts
+++ x-pack/plugins/saved_objects_tagging/public/ui_api/parse_search_query.ts
@@ -30,6 +30,7 @@ export const buildParseSearchQuery = ({

     try {
       parsed = Query.parse(query);
+      console.log('searchQuery-buildParseSearch-parsed', parsed);
     } catch (e) {
       return {
         searchTerm: query,

What I learned: when you write "remote:test-index" in a search box in Kibana, it gets parsed into an AST with the clause:

• field "remote" must eq value "test-index"

Screenshot of output of logs to the console which I have added in my investigation:

I think the only "field" we care about in the saved object search dialog boxes is the tag filter, which would let you narrow down the results that are tagged with "foo" by filtering for tag:(foo). Note that the parenthesis around the value make the parser interpret the value as an array:

I will reach out to some teams outside of AppEx-SharedUX for help: cc @elastic/kibana-core, original authors of the saved objects tagging features cc @elastic/eui-team, maintainers of the query parser

[TinaHeiligers]

Thanks for the ping! The issue is very similar to one we had a while ago with KQL and kuery, where the text from the search bar is passed directly through to the underlying AST. In the KQL/kuery case, we had some control over the AST and could modify that. Here we don’t. We'd need to implement a “query interpreter” that transforms the input into something the AST will interpret correctly. Using double quotes around a name that contains a colon works because it escapes the AST grammar for indicating key/value pairs. What you’re looking for is a similar escape mechanism.

Ideally, someone familiar with EUI's AST should suggest a workaround. In the mean time, we can try to implement custom middleware.

[pgayvallet]

IIRC, EUI's query language escape sequence is just the double quote character.

So searching for "remote:test" instead of remote:test may do the trick

[tsullivan]

I'm working on this through our EUI repo, which is where the query parser lives: https://github.com/elastic/eui/pull/7960