Custom filter in kibana discover

blueren · December 15, 2017, 8:58am

Hello,

I'd like to know how I can set up a custom query in kibana's discover. My requirement is basically with respect to netflow data that is being stored in the elstic db. I'd like to query:

Show all netflow records where either client_addr is between (...) OR server_addr is between (...)

Adding multiple filters, one for client_addr and one for server_addr in fact seems to do an AND operation. How do I go about having an OR operation?

Thanks.

timroes · December 15, 2017, 9:16am

Hi,

you can use the "Edit Query DSL" when creating a filter to freely type in any Elasticsearch Query DSL query to use. For an OR query Elasticsearch uses Bool queries with a should key and a minimum_should_match value. Your desired query looks like:

{
  "bool": {
    "should": [
      {
        "range": {
          "client_addr": {
            "gte": "0.0.0.0",
            "lt": "100.0.0.0"
          }
        }
      },
      {
        "range": {
          "server_addr": {
            "gte": "0.0.0.0",
            "lt": "100.0.0.0"
          }
        }
      }
    ],
    "minimum_should_match": 1
  }
}

The minimum_should_match states, that at least 1 entry from your should list must match the document.

Cheers,
Tim

blueren · December 15, 2017, 9:29am

Thanks for the quick turnaround Tim, however, I seem to be hitting this error. Is it something to do with the syntax?

{
  "error": {
    "root_cause": [
      {
        "type": "parsing_exception",
        "reason": "Unknown key for a START_OBJECT in [bool].",
        "line": 2,
        "col": 11
      }
    ],
    "type": "parsing_exception",
    "reason": "Unknown key for a START_OBJECT in [bool].",
    "line": 2,
    "col": 11
  },
  "status": 400
}

timroes · December 15, 2017, 9:32am

It might be, depending on your version, that you need to nest the query in another query object:

{
  "query": {
    "bool": {
      "should": [
        {
          "range": {
            "client_addr": {
              "gte": "0.0.0.0",
              "lt": "100.0.0.0"
            }
          }
        },
        {
          "range": {
            "server_addr": {
              "gte": "0.0.0.0",
              "lt": "100.0.0.0"
            }
          }
        }
      ],
      "minimum_should_match": 1
    }
  }
}

blueren · December 18, 2017, 5:30am

Thanks Tim. This worked perfectly!

system · January 15, 2018, 5:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.