Variable as part of the mongo query

Rainer · June 3, 2022, 9:56am

In a GraphQL query this works, only in the Mongo query not at all.

in my aggregation query there is this line:
src_ip : {$nin : [{{VAR_src_ip.value}}]}

VAR_src_ip is a text field with the content:

192.168.222.100", "93.113.208.70
corresponds to:
value
"192.168.222.100","93.113.208.70"

But does not work in the Mongo query.
It does for GraphQL queries.
Can someone help me?

Jay · June 3, 2022, 12:40pm

Can you share a screenshot of this mongo query?

Rainer · June 3, 2022, 2:00pm

Of course, this is how it works

$match:
{
syslog_type:"sophos_xg",
log_type:"Firewall",
$expr: {$eq : ["$month_document",{{ select_month.value }}] }
,src_ip: {$in : ["192.168.222.100","93.113.208.70"]}
}

I would like to replace src_ip line with a text variable (this works with GraphQL)

$match:
{
syslog_type:"sophos_xg",
log_type:"Firewall",
$expr: {$eq : ["$month_document",{{ select_month.value }}] }
{{VAR_src_ip.value}}
}

Or at worst, like this:

$match:
{
syslog_type:"sophos_xg",
log_type:"Firewall",
$expr: {$eq : ["$month_document",{{ select_month.value }}] }
,src_ip: {$in : [{{VAR_src_ip.value}}]}
}

Jay · June 3, 2022, 2:30pm

What's the error you are seeing when you run it with {{VAR_src_ip.value}}?

Jay · June 3, 2022, 2:32pm

Also, what doe {{VAR_src_ip.value}} look like in your left panel?

Rainer · June 3, 2022, 2:51pm

If I define the query like this

$match:
{
syslog_type:"sophos_xg",
log_type:"Firewall",
$expr: {$eq : ["$month_document",{{ select_month.value }}] }
{{VAR_src_ip.value}}
}

With VAR_src_ip.value:
,src_ip: {$in : ["192.168.222.100", "93.113.208.70"]}

Comes a JSON error:

The value given - [ { $addFields: { month_document: { "$month": {$toDate : "$timestamp" }} } }, { $match: { syslog_type:"sophos_xg", log_type:"Firewall", $expr: {$eq : ["$month_document",6] } **,src_ip: {$in : ["192.168.222.100","93.113.208.70"]} } }**, { $group: { "_id": { "src_ip" : "$src_ip", "year": {$toString: { "$year": {$toDate : "$timestamp" }}}, "month_number" : { "$month": {$toDate : "$timestamp" }}, "month": {$toString: { "$month": {$toDate : "$timestamp" }}}, "week": {$toString: { "$week": {$toDate : "$timestamp" }}}, "dayOfWeek": {$toString: { "$dayOfWeek": {$toDate : "$timestamp" }}} }, count: {$sum:1} } }, { $sort : {count : -1} } , { $project: { src_ip : "$_id.src_ip", year : "$_id.year", month_number : "$_id.month_number", week : {$concat : ["$_id.week","/","$_id.year"]}, month : {$concat : ["$_id.month","/","$_id.year"]}, dayOfWeek : {$concat : ["$_id.week","/","$_id.year","/","$_id.dayOfWeek"]}, count : "$count", _id : false } }, { $limit : 30 } ] must be valid JSON.

Rainer · June 3, 2022, 3:04pm

Rainer · June 3, 2022, 3:12pm

This is the original error ... in my previous post the asterisks come from the bold mark.

The value given - [ { $addFields: { month_document: { "$month": {$toDate : "$timestamp" }} } }, { $match: { syslog_type:"sophos_xg", log_type:"Firewall", $expr: {$eq : ["$month_document",6] } ,src_ip: {$in : ["192.168.222.100","93.113.208.70"]} } }, { $group: { "_id": { "src_ip" : "$src_ip", "year": {$toString: { "$year": {$toDate : "$timestamp" }}}, "month_number" : { "$month": {$toDate : "$timestamp" }}, "month": {$toString: { "$month": {$toDate : "$timestamp" }}}, "week": {$toString: { "$week": {$toDate : "$timestamp" }}}, "dayOfWeek": {$toString: { "$dayOfWeek": {$toDate : "$timestamp" }}} }, count: {$sum:1} } }, { $sort : {count : -1} } , { $project: { src_ip : "$_id.src_ip", year : "$_id.year", month_number : "$_id.month_number", week : {$concat : ["$_id.week","/","$_id.year"]}, month : {$concat : ["$_id.month","/","$_id.year"]}, dayOfWeek : {$concat : ["$_id.week","/","$_id.year","/","$_id.dayOfWeek"]}, count : "$count", _id : false } }, { $limit : 30 } ] must be valid JSON.