Can't get boolean logic in Kibana filters to work

daniel-burke · April 8, 2016, 8:55am

I'm having trouble getting an OR clause to work in a filter. Given a document like this

{
  "_index": "logstash-2016.04.08",
  "_type": "Snip",
  "_id": "AVP1CQe9mfZFtYFl63KA",
  "_score": null,
  "_source": {
    "message": "\"Snip\"",
    "@version": "1",
    "@timestamp": "2016-04-08T08:42:02.009Z",
    "host": "ip-10-32-115-150"
  },
  "fields": {
    "@timestamp": [
      1460104922009
    ]
  },
  "sort": [
    1460104922009
  ]
}

I'm trying to construct an OR filter against the host field like this

{
  "bool": {
    "should": [
      {
        "term": {
          "host": "ip-10-32-115-150"
        }
      },
      {
        "term": {
          "host": "ip-10-32-115-151"
        }
      }
    ]
  }
}

But I don't get any results back. I'm following these docs:
https://www.elastic.co/guide/en/kibana/current/discover.html#discover-filters

Any ideas?

Khalah_Jones_Golden · April 8, 2016, 12:16pm

What version of kibana are you running?

There definitely seems to be something up with or filters on discover though. I can't quite reproduce what problems you're having. But i definitely do not get back expected results. I get back results for only one of the filters.

daniel-burke · April 8, 2016, 2:32pm

I'm on
Version 4.3.1
Build 9517
Commit SHA d6e412d

Khalah_Jones_Golden · April 8, 2016, 6:16pm

Hmm i just got it, i think your queries are structured incorrectly, this is an example query that runs fine for me

{
  "query": {
    "bool": {
      "should": [
        {
          "term": {
            "machine.os": "ios"
          }
        },
        {
          "term": {
            "machine.os": "osx"
          }
        }
      ]
    }
  }
}

daniel-burke · April 8, 2016, 7:02pm

Thanks Khalah but I can't get that to work. I'm using a query like this:

{
  "query": {
    "bool": {
      "should": [
        {
          "term": {
            "host": "ip-10-32-123-38"
          }
        }
      ]
    }
  }
}

One thing I did notice is that I use a field like _type it works? But I need to query within the _source field.
_source.host didn't work either.

Khalah_Jones_Golden · April 8, 2016, 8:16pm

What is the output of the request and response tabs on the spy for the discover vis?

daniel-burke · April 11, 2016, 8:16am

Here you go:

Request:

{
  "size": 0,
  "aggs": {},
  "highlight": {
    "pre_tags": [
      "@kibana-highlighted-field@"
    ],
    "post_tags": [
      "@/kibana-highlighted-field@"
    ],
    "fields": {
      "*": {}
    },
    "require_field_match": false,
    "fragment_size": 2147483647
  },
  "query": {
    "filtered": {
      "query": {
        "query_string": {
          "query": "*",
          "analyze_wildcard": true
        }
      },
      "filter": {
        "bool": {
          "must": [
            {
              "query": {
                "bool": {
                  "should": [
                    {
                      "term": {
                        "host": "ip-10-32-123-38"
                      }
                    }
                  ]
                }
              },
              "$state": {
                "store": "appState"
              }
            },
            {
              "range": {
                "@timestamp": {
                  "gte": 1460361564392,
                  "lte": 1460362464392,
                  "format": "epoch_millis"
                }
              }
            }
          ],
          "must_not": []
        }
      }
    }
  }
}

Response

{
  "took": 3,
  "timed_out": false,
  "_shards": {
    "total": 10,
    "successful": 10,
    "failed": 0
  },
  "hits": {
    "total": 0,
    "max_score": 0,
    "hits": []
  }
}

daniel-burke · April 11, 2016, 11:05am

I worked out what was wrong - I needed to use the .raw version of the field. This works

{
  "query": {
    "bool": {
      "should": [
        {
          "term": {
            "host.raw": "ip-10-32-123-38"
          }
        }
      ]
    }
  }
}