Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regress in queries in Graylog 3.0 #5694

Open
Nklya opened this issue Feb 20, 2019 · 6 comments
Open

Regress in queries in Graylog 3.0 #5694

Nklya opened this issue Feb 20, 2019 · 6 comments
Labels
bug search

Comments

@Nklya
Copy link

Nklya commented Feb 20, 2019

I think there might be regress in queries in Graylog 3.0.
I updated my Graylog setup from Graylog 2.5.1/Elasticsearch 5.6 to Graylog 3.0/Elasticsearch 6.6 and discovered a problem with queries.

Expected Behavior

According to help, I can use parentheses in queries to find any of word
http://docs.graylog.org/en/3.0/pages/queries.html#syntax

For example NOT user:(gitlab-runner jenkins git). This worked as expected on Graylog 2.5.1 and doesn't on 3.0.
For now I had to change query to NOT (user:gitlab-runner OR user:git OR user:jenkins)

Current Behavior

Query NOT user:(gitlab-runner jenkins git) return all items.

Possible Solution

Change query to NOT (user:gitlab-runner OR user:git OR user:jenkins)

Steps to Reproduce (for bugs)

  1. Run query with any_field: (value1 value2)
  2. It doesn't work in ver 3.0
  3. Change query to any_field:value1 OR any_field:value2
    4.It works

Context

I used these queries to filter some events from alerts. I had to change them to more complicated like NOT (user:gitlab-runner OR user:git OR user:jenkins)

Your Environment

  • Graylog Version: 3.0.0-12
  • Elasticsearch Version: 6.6.0
  • MongoDB Version: 4.0.2
  • Operating System: Ubuntu 18.04.1 LTS
  • Browser version: Google Chrome 72.0.3626.109

P.S. I haven't found related issues
@edmundoa
Copy link
Contributor

I could reproduce the issue in Elasticsearch 6.5.1, but not on 5.6.13. I guess there was some change in behaviour we weren't aware of.

@edmundoa edmundoa added bug and removed to-verify labels Feb 28, 2019
@edmundoa
Copy link
Contributor

edmundoa commented Feb 28, 2019
edited
Loading

We managed to find out why this behaviour changed:

The split_on_whitespace parameter for the query_string query has been removed. If provided, it will be ignored and issue a deprecation warning. The query_string query now splits on operator only.

Extract from the ES 6.0 breaking changes: https://www.elastic.co/guide/en/elasticsearch/reference/6.6/breaking-changes-6.0.html

This was confirmed in elastic/elasticsearch#31297 (comment), which also links to a new way of getting the same result that got introduced after the change. Unfortunately it needs to be set in index templates, so we would need to update Graylog's templates to be able to workaround the problem.

To summarize:

  • @Nklya for now the easiest way to fix the query is to add OR operators around the different terms, e.g. NOT user:(gitlab-runner OR jenkins OR git).
  • We need to update our documentation to point out this change of behaviour.
  • We should consider modifying our ES templates to include the new split_queries_on_whitespace option, or try to find another way to make old queries keep their old behaviour.

@Nklya
Copy link
Author

Nklya commented Feb 28, 2019
edited
Loading

Thanks!
I already use OR to workaround this.

edmundoa pushed a commit to Graylog2/documentation that referenced this issue Mar 1, 2019
Document split_on_whitespace removal on searches
cb48725 
Refs: Graylog2/graylog2-server#5694
@edmundoa edmundoa mentioned this issue Mar 1, 2019
Merged
jalogisch pushed a commit to Graylog2/documentation that referenced this issue Mar 1, 2019
@edmundoa @jalogisch
Document breaking change in grouping in ES6 (#590)
5271975 
Document Elasticsearch 6 change in grouping keyword searches, where the `split_on_whitespace` has been removed.

Refs Graylog2/graylog2-server#5694

This also needs to be included in the 2.5 documentation.
jalogisch added a commit to Graylog2/documentation that referenced this issue Mar 1, 2019
@jalogisch
added note about ES6
ebb5c31 
Refs: Graylog2/graylog2-server#5694
@dennisoelkers
Copy link
Member

@edmundoa: Are there any follow up tasks for this issue or can it be closed?

@edmundoa
Copy link
Contributor

edmundoa commented Jun 5, 2019

@dennisoelkers as far as I know only the last point remains:

We should consider modifying our ES templates to include the new split_queries_on_whitespace option, or try to find another way to make old queries keep their old behaviour.

@dennisoelkers
Copy link
Member

Should we create a new issue for that or modify the scope of this one?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug search
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dennisoelkers @edmundoa @Nklya @deeshe