Divide query in separate new lines

oalimerko · October 25, 2022, 9:42am

Hello team,

this is my new post here,i am looking forward share my experience and knowledge with community.
I'm using elasticsearch and kibana for logs monitoring and also for this purpose i use the ES-Exporter for catching the exceptions in logs .
I have query like this

  GET _search 
{
  "query": {
    "query_string": {
      "query":  "message:\"com.microsoft.sqlserver.jdbc.SQLServerException\" AND @timestamp:(>=now-1h AND <now)"
    }
  },
  "aggs": {
    "application": {
      "terms": {
        "field": "kubernetes.labels.app.keyword"
        }
      }
    }
  }

Can i somehow define some conditions in separate new lines using boolean opertator like below:

  GET _search 
{
  "query": {
    "query_string": {
      "query":  "message:\"com.microsoft.sqlserver.jdbc.SQLServerException\" 
                       AND level: DEBUG
                       AND threadname: xyz                       
                       AND @timestamp:(>=now-1h AND <now)"
    }
  },
  "aggs": {
    "application": {
      "terms": {
        "field": "kubernetes.labels.app.keyword"
        }
      }
    }
  }

This would make the query more readable.I tried using \n but without success

carly.richmond · October 25, 2022, 4:31pm

Can you try wrapping the query in triple quotes, similar to this example.

GET _search 
{
  "query": {
    "query_string": {
      "query":  """message:\"com.microsoft.sqlserver.jdbc.SQLServerException\" 
                       AND level: DEBUG
                       AND threadname: xyz                       
                       AND @timestamp:(>=now-1h AND <now)"""
    }
  },
  "aggs": {
    "application": {
      "terms": {
        "field": "kubernetes.labels.app.keyword"
        }
      }
    }
  }

oalimerko · October 25, 2022, 9:50pm

ok this seems to be the solution.Thnx for that.
This query works:

  GET _search 
{
  "query": {
    "query_string": {
      "query": """message: "com.microsoft.sqlserver.jdbc.SQLServerException" 
                  AND NOT message: "Condition 1" 
                  AND NOT message: "Condition 2"            
                  AND @timestamp:(>=now-90d AND <now)"""
    }
  },
  "aggs": {
    "application": {
      "terms": {
        "field": "kubernetes.labels.app.keyword"
        }
      }
    }
  }

Could you pls explain what kind of role does \" play?


  GET _search 
{
  "query": {
    "query_string": {
      "query": """message:\"com.microsoft.sqlserver.jdbc.SQLServerException\" 
                  AND NOT message:\" Condition 1\"
                  AND NOT message:\"Condition 2\"        
                  AND @timestamp:(>=now-90d AND <now)"""
    }
  },
  "aggs": {
    "application": {
      "terms": {
        "field": "kubernetes.labels.app.keyword"
        }
      }
    }
  }

So where is the difference between above queries?

carly.richmond · October 26, 2022, 8:39am

The slash operator ("") is used to escape special characters in strings, such as double quotes ("content"). Arguably when using the triple double quotes ("""content""") escaping the single double quotes is not required. Which is why the first one without works. Hope that helps!

system · November 23, 2022, 8:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.