Elastalert: Error 400 parsing_exception using [and]

Created on 22 Feb 2017  路  10Comments  路  Source: Yelp/elastalert

Hi

An alert created with "and" in filter returns 400 error
Filter example =>

filter:

  • term:
    type: "sometype"
  • and:

    • term:

      Someterm: "example"

Error =>
Error running your filter:
RequestError(400, u'parsing_exception', {u'status': 400, u'error': {u'line': 1, u'root_cause': [{u'reason': u'[and] query malformed, no start_object after query name', u'type': u'parsing_exception', u'line': 1, u'col': 244}], u'type': u'parsing_exception', u'reason': u'[and] query malformed, no start_object after query name', u'col': 244}})
INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent. To send them, use --verbose.

picture Misakiri

Most helpful comment

Will this be fixed in the near future?

picture reallyquickturtle on 10 Aug 2018
👍2

All 10 comments

Just remove and.

filter:
- term:
     type: "sometype"
- term:
     someterm: "Example"
Qmando picture Qmando on 22 Feb 2017

Thanks, Qmando, but, what about "or"? The problem is the same:

TransportError(400, u'parsing_exception', u'[or] query malformed, no start_object after query name')

Regards

Misakiri picture Misakiri on 23 Feb 2017

It seems that if we take the conditional examples off the docs (http://elastalert.readthedocs.io/en/latest/recipes/writing_filters.html#negation-and-or) to ensure correct formatting and run it against a 2.x stack it works perfectly however it does seem to throw a transport error when running the exact same filter against a 5.x stack. I'll investigate further, dig into the code and if necessary see if I can submit a pull request to fix.

kureus picture kureus on 23 Feb 2017
👍2

Hi Kureus

It's exactly my case, I had elastalert running against a 2.X and the rules worked ok, but when I try to migrate them to a 5.x throw those errors.

Thanks a lot

Misakiri picture Misakiri on 23 Feb 2017

For now, I recommend you use query strings when possible. This will let you implement boolean logic in 5.X.

filter:
 - query:
      query_string:
        query: "somefield: somevalue OR foo: bar"
Qmando picture Qmando on 23 Feb 2017

Thanks Qmando, works like a charm =)

Misakiri picture Misakiri on 24 Feb 2017

@Qmando That seems to not work with backslashes, do you know what I should try instead?

e.g.

filter:
- query:
    query_string:
        query: "syscall.executable:'/usr/bin/foo'"

errors out.

-Cheers

KevinHock picture KevinHock on 4 Apr 2017

Never mind, I got it with: query: "syscall.executable:\"/usr/bin/foo\""

\o/

KevinHock picture KevinHock on 4 Apr 2017

Will this be fixed in the near future?

reallyquickturtle picture reallyquickturtle on 10 Aug 2018
👍2

This not work for me, need help.

filter:

  • query:
    query_string:
    query: 'request: "/room/*" AND NOT request: /trackback AND NOT message: "/trackback" AND NOT request: "name.ico" AND NOT request: "/all-rules" AND NOR message: "null"'
  • query:
    query_string:
    query: 'agent.type: "filebeat" AND host.hostname: "server-name" AND response: "404"'
arydwimarta picture arydwimarta on 27 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

tkumark picture tkumark  路  3Comments
aromualdo picture aromualdo  路  4Comments
abhishekjiitr picture abhishekjiitr  路  3Comments
vaibhavtupe picture vaibhavtupe  路  4Comments
abhishekjiitr picture abhishekjiitr  路  3Comments