[Bug] Unable to find case by Case Number

[BlueJokerr]

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	CentOS
OS version (client)	8
Virtualized Env.	True
Dedicated RAM	16 GB
vCPU	12
TheHive version / git hash	4.1.4-1
Package Type	RPM
Database	Cassandra
Index type	Lucene
Disk	Local
Browser type & version	Chrome

Problem Description

We are facing a random error when trying to search for some cases using their case number (#15611 for example) via WebGUI, TheHive fails to find it and returns an "Unable to find case with number...", but the case does exist, we try to do some debug and found that TheHive calls an api method (/api/case/_search) using the field "caseId". We try to simulate that api call and found that it returns an empty array as if the case doesn't exist.
If we search for the case manually in the case menu we can find it and the case number is OK, we also try to do an api call (/api/v1/query) with the real ID (DB ID) and in the result we can see that the case number is also correct.

This issue is really annoying because we use the case number for tracking purposes.

Maybe it could be an index issue?

Steps to Reproduce

Random error

Possible Solutions

N/A

Complementary information

I'm attaching print screens of the error:

• WebGUI case search:
  

• API Call when WebGUI case search is executed returns null:
  

• API Call by case number using POSTMAN returns null:
  

• Searching manually in cases tab we can find the case with its corresponding case number:
  
  

• API call usind case ID returns correct case with corresponding case number:
  

[nadouani]

Hello @BlueJokerr This is weird as I cannot see any reason for it. The case is listed, this means it exists in the index, and the number is correct. Do you see any error in logs when searching by number?

[BlueJokerr]

Hi @nadouani, thanks for your reply. Unfortunatly no errors are detected in logs, tried searching in cassandra and thehive logs and could only see that the search is performed and returns 200:

[nadouani]

Thanks for the logs, I'll try to fix the deprecated use of the filter firstly and check if there is any other reason.

[nadouani]

Trying a fix as I wasn't able to reproduce.

[B4mcruz]

Hi @nadouani, I don't think that the issue is related to the deprecated filter, because I've tried doing a post to the api using the field/value non-deprecated method and I couldn't find the case either.