Many of our customers build out some very lengthy and complex search queries using our search syntax, which is based on Lucene query syntax and uses ElasticSearch to return the results. However, if there is a problem with your search syntax, you will probably see this error message pop up.
While you may want to review our Kenna Search Terms, sometimes you simply need a second pair of eyes to review the syntax and those eyes come in the form of the Validate Asset Search Query endpoint in our API. This is a handy tool which will tell you whether your search query is valid or not, and attempt to provide suggested changes.
Using the Validate Asset Search Query API
For example, let’s say you got the aforementioned error when trying this query:
tag: "Web Servers" or "Workstations" and ip: [10.0.0.1 to 10.10.26.200]
Steps to test this with the API endpoint:
- Grab the curl command and your API key. You must be an admin, read only, or normal user to have an API key.
- Encode the query string following the q parameter. Because we are using curl, the query string after the q parameter must be url encoded. Here you can see how the query changes using this url encoder tool.
3. Build your curl command in a text editor. To make the output more legible, add | python -m json.tool to the end of your command. In this example, the command would look like this (API key has since been changed).
curl -H "X-Risk-Token: _YBvQ6cMc39qnMoHxLk-o6Aq6wyssapRhUUzypzEz5SbvT7H_x7V5mfrWkjNy5q2" "<https://api.kennasecurity.com/assets/validate_search?q=tag%3A+%22Web+Servers%22+or+%22Workstations%22+and+ip%3A+%5B10.0.0.1+to+10.10.26.200%5D"> -X GET
The response I get includes the original query, the suggested query, and states that my query was not valid. In this case, the suggestion capitalized the AND and OR terms I was using and, following that logic, it should have also capitalized the TO.
The corrected query string should be:
tag: ("Web Servers" OR "Workstations") AND ip: [10.0.0.1 TO 10.10.26.200]
If after trying these steps, you still get the error message and no results returned, you may want to reach out to your customer experience team or email email@example.com.