Dashboard filtering

Alice_Ionescu · March 10, 2023, 10:37am

Hello,

I want to add a filter that eliminates the records with type Disconnect and have user admin.
So only for user admin to eliminate the Disconnect events.

I've tried this, but it is not ok

{
  "query": {
    "bool": {
      "should": [
        {
          "bool": {
            "must_not": {
              "term": {
                "event.enrichment.type.en.keyword": "Disconnect"
              }
            }
          }
        },
        {
          "bool": {
            "must": {
              "term": {
                "event.enrichment.actor.displayName.keyword": "admin"
              }
            }
          }
        }
      ]
    }
  }
}

Thanks!

carly.richmond · March 10, 2023, 3:18pm

Hi Alice,

Can you give more details as to what you mean by not ok? Is the query not returning the results you expect? Or an error?

mhoward · March 10, 2023, 4:17pm

If I understand what you're trying to do correctly, would you want to replace "should" with "must"? "Should" means only one of the requirements needs to be true, but "must" means both would have to be true to be returned.

system · April 7, 2023, 4:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.