Dashboard filtering

Alice_Ionescu · March 10, 2023, 10:37am

Hello,

I want to add a filter that eliminates the records with type Disconnect and have user admin.
So only for user admin to eliminate the Disconnect events.

I've tried this, but it is not ok

{
  "query": {
    "bool": {
      "should": [
        {
          "bool": {
            "must_not": {
              "term": {
                "event.enrichment.type.en.keyword": "Disconnect"
              }
            }
          }
        },
        {
          "bool": {
            "must": {
              "term": {
                "event.enrichment.actor.displayName.keyword": "admin"
              }
            }
          }
        }
      ]
    }
  }
}

Thanks!

carly.richmond · March 10, 2023, 3:18pm

Hi Alice,

Can you give more details as to what you mean by not ok? Is the query not returning the results you expect? Or an error?

mhoward · March 10, 2023, 4:17pm

If I understand what you're trying to do correctly, would you want to replace "should" with "must"? "Should" means only one of the requirements needs to be true, but "must" means both would have to be true to be returned.

system · April 7, 2023, 4:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need help with filter for Visualization Kibana	3	360	November 7, 2019
Could or Should? Kibana kql-kibana-query-language , eql-elastic-query-language	4	407	February 17, 2023
Filter context in Kibana generated search Kibana	3	417	August 22, 2019
Filter curation, kql, dashboards, codegen: am I doing something stupid? Kibana	2	238	September 3, 2020
Disable exists query in Kibana 8.7 Kibana	15	779	June 6, 2023

Dashboard filtering

Related Topics