Alert - Rules query_string not working

Elastic Stack Elasticsearch
1

Hello,

I have a log as json string like below and that has been parsed as jsonparsor and stored in Elasticsearch

{
  "_index": "some index",
  "fields": {
  "many keys" : " values",
    "class.keyword": [
      "org.apache.kafka.streams.KafkaStreams"
    ],
    "class": [
      "org.apache.kafka.streams.KafkaStreams"
    ],
    "message": [
      "stream-client [App-01ce8fb0-4432-4998-85c4-bae921f925fa] State transition from RUNNING to ERROR"
    ]
  }
}

I need to search in the query as
class : "org.apache.kafka.streams.KafkaStreams" and message : "*State transition from RUNNING to ERROR" should occur minimum once to trigger an alert.

I tried query_string like below but nothing worked

{
  "query": {
  	"query_string": {
  		"query": "*State transition from RUNNING to ERROR",
  		"fields": ["message"],
  		"minimum_should_match": 1
  	}
  }
}

Also
{
  "query": {
  	"query_string": {
  		"query": "(class:org.apache.kafka.streams.KafkaStreams) AND (message:*State transition from RUNNING to ERROR)",
               "minimum_should_match": 1
  	},
     	}
}

Can I get a guidance ? which clause is the best for my scenario?

Thanks in advance for your suggestion
Fredrick

2

@kibanaquery @HereToHelp I've been waiting since Oct 21.. Can anyone take a look and respond?

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.