Hey all!
I ran into a problem with my elasticsearch query.
I try to match log patterns of different tests, ran on a specific app.
My goal is to match all of the patterns, in any of the tests.
The full query I built is this:
GET index/_search
{
"query": {
"bool": {
"must": [
{
"term": {
"auto.bundle_id": "com.app.myapp"
}
},
{
"range": {
"@timestamp": {
"gte": "2023-07-09T12:20:11.722304"
}
}
}
],
"should": [
{
"bool": {
"must": [
{
"regexp": {
"auto.test_1.device_log.keyword": ".*ActivityManager: Dumping to \\/data\\/anr\\/anr_[0-9]{4}-[0-9]{2}-[0-9]{2}-[0-9]{2}-[0-9]{2}-[0-9]{2}-[0-9]{3}.*"
}
},
{
"match_phrase": {
"auto.test_1.device_log": "--------- beginning of crash"
}
},
{
"match_phrase": {
"auto.test_1.device_log": ": crash_dump helper failed to exec, or was killed "
}
}
]
}
},
{
"bool": {
"must": [
{
"regexp": {
"auto.test_2.device_log.keyword": ".*ActivityManager: Dumping to \\/data\\/anr\\/anr_[0-9]{4}-[0-9]{2}-[0-9]{2}-[0-9]{2}-[0-9]{2}-[0-9]{2}-[0-9]{3}.*"
}
},
{
"match_phrase": {
"auto.test_2.device_log": "--------- beginning of crash"
}
},
{
"match_phrase": {
"auto.test_2.device_log": ": crash_dump helper failed to exec, or was killed "
}
}
]
}
}
],
"must_not": [],
"minimum_should_match": 1
}
}
}
This gives 0 hits.
If i remove the regex parts, like this:
GET index/_search
{
"query": {
"bool": {
"must": [
{
"term": {
"auto.bundle_id": "com.app.myapp"
}
},
{
"range": {
"@timestamp": {
"gte": "2023-07-09T12:20:11.722304"
}
}
}
],
"should": [
{
"bool": {
"must": [
{
"match_phrase": {
"auto.test_1.device_log": "--------- beginning of crash"
}
},
{
"match_phrase": {
"auto.test_1.device_log": ": crash_dump helper failed to exec, or was killed "
}
}
]
}
},
{
"bool": {
"must": [
{
"match_phrase": {
"auto.test_2.device_log": "--------- beginning of crash"
}
},
{
"match_phrase": {
"auto.test_2.device_log": ": crash_dump helper failed to exec, or was killed "
}
}
]
}
}
],
"must_not": [],
"minimum_should_match": 1
}
}
}
I get hits, some of them include the regex, which are the results I want to get, but some other hits that don't have that pattern.
On the other hand, if i remove all of the rest, and keep just the regex, like this:
{
"query": {
"bool": {
"must": [],
"should": [
{
"bool": {
"must": [
{
"regexp": {
"auto.test_1.device_log.keyword": ".*ActivityManager: Dumping to \\/data\\/anr\\/anr_[0-9]{4}-[0-9]{2}-[0-9]{2}-[0-9]{2}-[0-9]{2}-[0-9]{2}-[0-9]{3}.*"
}
}
]
}
},
{
"bool": {
"must": [
{
"regexp": {
"auto.test_2.device_log.keyword": ".*ActivityManager: Dumping to \\/data\\/anr\\/anr_[0-9]{4}-[0-9]{2}-[0-9]{2}-[0-9]{2}-[0-9]{2}-[0-9]{2}-[0-9]{3}.*"
}
}
]
}
}
],
"must_not": [],
"minimum_should_match": 1
}
}
}
I also get hits, including the ones that satisfy all of the original query.
I tried to look for a way to run this query, I believe it should be possible but maybe I was looking in the wrong places.
Any help will be appreciated.