search

opensearch-project / OpenSearch-Dashboards

📊 Open source visualization dashboards for OpenSearch.
https://opensearch.org/docs/latest/dashboards/index/
Apache License 2.0
1.66k stars 870 forks source link

[BUG] "Edit as Query DSL" functionality is generating both bad and incorrect DSL #5649

Open JTMosaic opened 9 months ago

JTMosaic commented 9 months ago

The "Edit as Query DSL" functionality is generating both bad and incorrect DSL

To Reproduce

  1. Log into Wazuh Dashboard and go to Security Events
  2. Add a rule where rule.level is one of 3,4 or 5 image
  3. Edit the query and click on the Edit Query as DSL link to see: 
    "query": {
"bool": {
 "should": [
   {
     "match_phrase": {
       "rule.level": "3"
     }
   },
   {
     "match_phrase": {
       "rule.level": "4"
     }
   },
   {
     "match_phrase": {
       "rule.level": "5"
     }
   }
 ],
 "minimum_should_match": 1
}
}
}
  4. Click Cancel, edit the filter again and change the Operator to is not one of and save the query
  5. Edit the query and click on the Edit Query as DSL link to see: 
    "query": {
"bool": {
  "should": [
    {
      "match_phrase": {
        "rule.level": "3"
      }
    },
    {
      "match_phrase": {
        "rule.level": "4"
      }
    },
    {
      "match_phrase": {
        "rule.level": "5"
      }
    }
  ],
  "minimum_should_match": 1
}
}
}

    This is the exact same DSL. The negation of the operator is not present.

Additionally, if you copy this DSL into a new filter you get a filter which is not editable as filter values and does not display correctly on the dashboard though it does seem to work, albeit without the NOT:

image

Expected behavior Correct DSL should be generated to make queries easier to save and document

OpenSearch Version wazuh-indexer 4.7.0-1

Dashboards Version wazuh-dashboards 4.7.0-1

Plugins Amazon AWS

This has already been reported to the Wazuh team. See the discussion here

Tostti commented 9 months ago

Although this issue mentions Wazuh Dashboard, Security Events section, it is reproducible in the Discover section of OSD.

I just reproduced it on 2.11.1 image

image

kavilla commented 8 months ago

Hello @JTMosaic,

Will check this out as soon as possible and will try to read up on the other thread. In the meantime, could you verify if this is a relatively recent issue and worked prior to an upgraded version? Or has this been a persisting issue?

JTMosaic commented 8 months ago

Thank you, @kavilla . I've not tried it in prior versions

JTMosaic commented 7 months ago

Any update on this?

kavilla commented 7 months ago

Will look into this as soon as possible.

kavilla commented 4 months ago

Did a deep dive into this area so will check it out again. Apologies on the delay here. Will have to move it to 2.15.