I'm currently using the elasticsearch filter plugin to search for documents I have in elasticsearch.
a snippet of my config file:
query => "messageContent:offline, alert AND senderID:%{[senderID]}"
sort => "@timestamp:desc"
Alert is the first document inserted and it's only done once. All the documents following it are offline.
When I apply the timestamp:desc sort however, alert is the first document to appear. When I take it out of the query it pulls the latest offline document. Also if I switch the code from
query => "messageContent:offline, alert AND senderID:%{[senderID]}"
to
query => "messageContent:alert, offline AND senderID:%{[senderID]}"
It works properly. Any suggestions to fix this issue?