query for a quoted string #1465

Idam7961 · 2024-06-07T20:24:26Z

Idam7961
Jun 7, 2024

this is my current filter for a rule

filter:
- query:
    query_string:
      query: "message: error"

i would like it to be a query for this string with quotes "log.level":"info"

so i change the filter in according to the docs using the \ to escape the quotes and ":" to this:

filter:
- query:
    query_string:
      query: "message:  \"log.level\"\:\"info\""

but its not working. what should be the right syntax please?

thank you.

Answered by jertel

Jun 7, 2024

filter:
- query:
    query_string:
      query: "message: \"\\\"log.level\\\"\:\\\"info\\\"\""

Note that this is attempting to match the exact string "log.level":"info". It cannot be a substring of the message, it must be the entire, exact string in order for it to match.

View full answer

jertel · 2024-06-07T23:47:45Z

jertel
Jun 7, 2024
Maintainer

filter:
- query:
    query_string:
      query: "message: \"\\\"log.level\\\"\:\\\"info\\\"\""

Note that this is attempting to match the exact string "log.level":"info". It cannot be a substring of the message, it must be the entire, exact string in order for it to match.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

query for a quoted string #1465

{{title}}

Replies: 1 comment

{{title}}

Select a reply

query for a quoted string #1465

Idam7961 Jun 7, 2024

Replies: 1 comment

jertel Jun 7, 2024 Maintainer

Idam7961
Jun 7, 2024

jertel
Jun 7, 2024
Maintainer