search

google / timesketch

Collaborative forensic timeline analysis
Apache License 2.0
2.57k stars 582 forks source link

Boolean value exclusion\inclusion filter exception #1852

Open rushattac opened 3 years ago

rushattac commented 3 years ago

Describe the bug If an attribute in a timeline contains a boolean value (true\false) and a it was filtered on using the exclusion\inclusion filter feature and exception is thrown.

To Reproduce Steps to reproduce the behavior:

  1. Import data into a timeline with an attribute containing a boolean value.
  2. Apply an inclusion or exclusion filter.
  3. see exception

Expected behavior for the filter to work correctly without throwing an error.

Desktop (please complete the following information): -OS:Ubuntu 20.04.2 LTS -Browser : Firefox -Version: 86.0

Additional context wsgi_error logs related to the issue

[2021-06-24 11:55:22,068] timesketch.elasticsearch/ERROR Unable to run search query: [query_shard_exception] failed to create query: Can't parse boolean value [True], expected [true] or [false]
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/timesketch/lib/datastores/elastic.py", line 565, in search
    _search_result = self.client.search(
  File "/usr/local/lib/python3.8/dist-packages/elasticsearch/client/utils.py", line 84, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/elasticsearch/client/__init__.py", line 1547, in search
    return self.transport.perform_request(
  File "/usr/local/lib/python3.8/dist-packages/elasticsearch/transport.py", line 351, in perform_request
    status, headers_response, data = connection.perform_request(
  File "/usr/local/lib/python3.8/dist-packages/elasticsearch/connection/http_urllib3.py", line 261, in perform_request
    self._raise_error(response.status, raw_data)
  File "/usr/local/lib/python3.8/dist-packages/elasticsearch/connection/base.py", line 181, in _raise_error
    raise HTTP_EXCEPTIONS.get(status_code, TransportError)(
elasticsearch.exceptions.RequestError: RequestError(400, 'search_phase_execution_exception', "failed to create query: Can't parse boolean value [True], expected [true] or [false]")

timesketch version: 20210602

berggren commented 3 years ago

Good catch! We need to take the type information per attribute into account when creating the filters. I'll look into that as soon as time permits.