Graylog2-server: Regress in queries in Graylog 3.0

Created on 20 Feb 2019  路  6Comments  路  Source: Graylog2/graylog2-server

I think there might be regress in queries in Graylog 3.0.
I updated my Graylog setup from Graylog 2.5.1/Elasticsearch 5.6 to Graylog 3.0/Elasticsearch 6.6 and discovered a problem with queries.

Expected Behavior

According to help, I can use parentheses in queries to find any of word
http://docs.graylog.org/en/3.0/pages/queries.html#syntax

For example NOT user:(gitlab-runner jenkins git). This worked as expected on Graylog 2.5.1 and doesn't on 3.0.
For now I had to change query to NOT (user:gitlab-runner OR user:git OR user:jenkins)

Current Behavior

Query NOT user:(gitlab-runner jenkins git) return all items.

Possible Solution

Change query to NOT (user:gitlab-runner OR user:git OR user:jenkins)

Steps to Reproduce (for bugs)

  1. Run query with any_field: (value1 value2)
  2. It doesn't work in ver 3.0
  3. Change query to any_field:value1 OR any_field:value2
    4.It works

Context

I used these queries to filter some events from alerts. I had to change them to more complicated like NOT (user:gitlab-runner OR user:git OR user:jenkins)

Your Environment

  • Graylog Version: 3.0.0-12
  • Elasticsearch Version: 6.6.0
  • MongoDB Version: 4.0.2
  • Operating System: Ubuntu 18.04.1 LTS
  • Browser version: Google Chrome 72.0.3626.109

P.S. I haven't found related issues

bug search
Source
picture Nklya
👍3

All 6 comments

I could reproduce the issue in Elasticsearch 6.5.1, but not on 5.6.13. I guess there was some change in behaviour we weren't aware of.

edmundoa picture edmundoa on 28 Feb 2019
👍1

We managed to find out why this behaviour changed:

The split_on_whitespace parameter for the query_string query has been removed. If provided, it will be ignored and issue a deprecation warning. The query_string query now splits on operator only.

Extract from the ES 6.0 breaking changes: https://www.elastic.co/guide/en/elasticsearch/reference/6.6/breaking-changes-6.0.html

This was confirmed in https://github.com/elastic/elasticsearch/issues/31297#issuecomment-401238569, which also links to a new way of getting the same result that got introduced after the change. Unfortunately it needs to be set in index templates, so we would need to update Graylog's templates to be able to workaround the problem.

To summarize:

  • @Nklya for now the easiest way to fix the query is to add OR operators around the different terms, e.g. NOT user:(gitlab-runner OR jenkins OR git).
  • We need to update our documentation to point out this change of behaviour.
  • We should consider modifying our ES templates to include the new split_queries_on_whitespace option, or try to find another way to make old queries keep their old behaviour.
edmundoa picture edmundoa on 28 Feb 2019

Thanks!
I already use OR to workaround this.

Nklya picture Nklya on 28 Feb 2019
👍1

@edmundoa: Are there any follow up tasks for this issue or can it be closed?

dennisoelkers picture dennisoelkers on 5 Jun 2019

@dennisoelkers as far as I know only the last point remains:

We should consider modifying our ES templates to include the new split_queries_on_whitespace option, or try to find another way to make old queries keep their old behaviour.

edmundoa picture edmundoa on 5 Jun 2019

Should we create a new issue for that or modify the scope of this one?

dennisoelkers picture dennisoelkers on 16 Jun 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jalogisch picture jalogisch  路  3Comments
bpbp-boop picture bpbp-boop  路  4Comments
jalogisch picture jalogisch  路  4Comments
mikkolehtisalo picture mikkolehtisalo  路  4Comments
eroji picture eroji  路  4Comments