HI all.
Can someone assist. I am trying to add an additional field to this query but it does not seem to work as expected. I am trying to simply ass the field "message" and filter based on a matched string.
Here is my query....
{
"aggs": {
"2": {
"terms": {
"field": "httpURI.keyword",
"order": {
"1": "desc"
},
"size": 5
},
"aggs": {
"1": {
"cardinality": {
"field": "xxxxxxxxxxx-redacted"
}
},
"3": {
"terms": {
"field": "httpResponseCode",
"order": {
"1": "desc"
},
"size": 5
},
"aggs": {
"1": {
"cardinality": {
"field": "xxxxxxxxx-redated"
}
}
}
}
}
}
},
"size": 0,
"_source": {
"excludes":
},
"stored_fields": [
"*"
],
"script_fields": {},
"docvalue_fields": [
{
"field": "@timestamp",
"format": "date_time"
}
],
"query": {
"bool": {
"must": ,
"filter": [
{
"match_all": {}
},
{
"match_all": {}
},
{
"match_phrase": {
"httpMethod.keyword": {
"query": "POST"
}
}
},
{
"exists": {
"field": "httpResponseCode"
}
},
{
"bool": {
"minimum_should_match": 1,
"should": [
{
"match_phrase": {
"httpURI.keyword": "URL1 - dedacted"
}
},
{
"match_phrase": {
"httpURI.keyword": "url2 - redacted"
}
},
{
"match_phrase": {
"httpURI.keyword": "url3 redatced"
}
},
{
"match_phrase": {
"httpURI.keyword": "URL 4 redacted"
}
},
{
"match_phrase": {
"httpURI.keyword": "URL5 redacted"
}
},
{
"match_phrase": {
"httpURI.keyword": "url6 redacted"
}
},
{
"match_phrase": {
"httpURI.keyword": "url7 redacted"
}
},
{
"match_phrase": {
"httpURI.keyword": "url8 redacted"
}
}
]
}
},
{
"range": {
"@timestamp": {
"format": "strict_date_optional_time",
"gte": "2020-08-31T22:00:00.000Z",
"lte": "2020-09-01T11:19:46.563Z"
}
}
}
],
"should": ,
"must_not":
}
}
}
Thanks in advance... PS. struggling with the nesting of fields in the top part of the query.
