Composite search question and error (need help please)

Hello Elastic bros

I am seeking some wisdom on setting up a composite search.

I am trying to filter out "OS_Threat.IO_Threats"

Below is my search quarry

GET logstash-*/_search
{
  "query": {
    "bool": {
      "must_not": {
        "match": {
          "type.keyword": "OS_Threat.IO_Threats"
        }
      },
      "must": {
        "range": {
          "timestamp": {
            "gte": "now-30d/d",
            "lt": "now/d"
          }
        }
      }
    }
  },
  "aggs": {
    "values": {
      "composite": {
        "size": 10,
        "sources": [
          {
            "src_ip.keyword": {
              "terms": {
                "field": "src_ip.keyword",
                "order": "asc"
              }
            }
          },
          {
            "geoip.country_name.keyword": {
              "terms": {
                "field": "geoip.country_name.keyword"
              }
            }
          },
          {
            "beat.name.keyword": {
              "terms": {
                "field": "beat.name.keyword"
              }
            }
          },
          {
            "type.keyword": {
              "terms": {
                "field": "type.keyword",
                "order": "asc"
              }
            }
          },
          {
            "ip_rep.keyword": {
              "terms": {
                "field": "ip_rep.keyword",
                "order": "asc"
              },
              "missing": "__missing__"
            }
          }
        ]
        },
        
      "aggs": {
        "firstseen": {
          "min": {
            "field": "@timestamp"
          }
        },
        "lastseen": {
          "max": {
            "field": "@timestamp"
          }
        }
      }
    }
  }
}

Currently getting the following error and I am bit stumped on what to teak in the quarry.

{
  "error": {
    "root_cause": [
      {
        "type": "x_content_parse_exception",
        "reason": "[61:13] [composite] failed to parse field [sources]"
      }
    ],
    "type": "x_content_parse_exception",
    "reason": "[61:13] [composite] failed to parse field [sources]",
    "caused_by": {
      "type": "illegal_state_exception",
      "reason": "expected value but got [END_OBJECT]"
    }
  },
  "status": 400
}

so removing the missing field seems to fix it but I would like the missing fields if possible

 {
                "_source": ["src_ip", "geoip.country_name", "beat.name", "type", "ip_rep"],
                "query": {
                    "bool": {
                        "must_not": {
                            "match": { "type.keyword": "OS_Threat.IO_Threats" }
                        },
                        "must": {
                            "range": {
                                "timestamp": {
                                    "gte": "now-30d/d",
                                    "lt": "now/d"
                                }
                            }
                        }
                    }
                },
                "aggs": {
                    "values": {
                        "composite": {
                            "size": 10000,
                            "sources": [
                                {
                                    "src_ip.keyword": {
                                        "terms": {
                                            "field": "src_ip.keyword",
                                            "order": "asc"
                                        }
                                    }
                                },
                                {
                                    "geoip.country_name.keyword": {
                                        "terms": {
                                            "field": "geoip.country_name.keyword"
                                        }
                                    }
                                },
                                {
                                    "beat.name.keyword": {
                                        "terms": {
                                            "field": "beat.name.keyword"
                                        }
                                    }
                                },
                                {
                                    "type.keyword": {
                                        "terms": {
                                            "field": "type.keyword",
                                            "order": "asc"
                                        }
                                    }
                                },
                                {
                                    "ip_rep.keyword": {
                                        "terms": {
                                            "field": "ip_rep.keyword"
                                        }
                                    }
                                }
                            ]
                        },
                        "aggs": {
                            "firstseen": {
                                "min": {
                                    "field": "@timestamp"
                                }
                            },
                            "lastseen": {
                                "max": {
                                    "field": "@timestamp"
                                }
                            }
                        }
                    }
                }
        }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.