Elk_huh
December 18, 2023, 3:27pm
1
Is it possible to have 2 different must not query strings across two different fields
I have this but it doesnt let me have 2 query strings
GET winevents/_search
{
"query": {
"bool": {
"must": [
{
"term": {
"event.code": {
"value": "4724"
}
}
}
],
"must_not": [
{
"query_string": {
"query": "*SVC",
"default_field": "winlog.event_data.SubjectUserName"
}
}
],
"must_not": [
{
"query_string": {
"query": "*testcacount",
"default_field": "winlog.event_data.TargetUserName"
}
}
],
"filter": [
{
"range": {
"@timestamp": {
"from": "now-7d"
}
}
}
]
}
}
}
stephenb
December 18, 2023, 3:33pm
2
Hi @Elk_huh
Elk_huh:
"must_not": [
{
"query_string": {
"query": "*SVC",
"default_field": "winlog.event_data.SubjectUserName"
}
},
{
"query_string": {
"query": "*testcacount",
"default_field": "winlog.event_data.TargetUserName"
}
}
],
The must_not takes an array so put the two queries in the same must not separated by a comma.
Elk_huh
December 18, 2023, 4:20pm
3
Even though its two seperate fields that i am trying to do a query string
stephenb
December 18, 2023, 4:25pm
4
Yes, Give a try...The must_not takes an array of queries that must not be matched.
Elk_huh
December 18, 2023, 5:13pm
5
stephenb:
T
It doesnt liekit says duplicate query
GET winevents/_search
{
"query": {
"bool": {
"must": [
{
"term": {
"event.code": {
"value": "4724"
}
}
}
],
"must_not": [
{
"query_string": {
"query": "*SVC",
"default_field": "FIELD1",
"query": "*testcacount",
"default_field": "FIELD2"
}
}
],
"filter": [
{
"range": {
"@timestamp": {
"from": "now-7d"
}
}
}
]
}
}
}
stephenb
December 18, 2023, 5:38pm
6
Hi @Elk_huh
You did not follow my pattern.
Here is a sample working query
GET logs-*/_search
{
"query": {
"bool": {
"must_not": [
{
"term": {
"kubernetes.namespace": {
"value": "checkout"
}
}
},
{
"term": {
"kubernetes.namespace": {
"value": "cart"
}
}
}
]
}
}
}
So yours would look something like this as I showed before 2 separate query_strings in the Must Not Array
...
"must_not": [
{
"query_string": {
"query": "*SVC",
"default_field": "winlog.event_data.SubjectUserName"
}
},
{
"query_string": {
"query": "*testcacount",
"default_field": "winlog.event_data.TargetUserName"
}
}
]
...
BTW Leading * queries are very expensive / not efficient
Elk_huh
December 18, 2023, 7:12pm
7
Right ive tried that also , it says duplicate query_string, TERM1 and Term2 are two different fields"query" : "tesaccount OR *SVC" " default_field" : "winlog.event_data.TargeUserName"
stephenb
December 18, 2023, 7:28pm
8
This worked fine for me
GET logs-*/_search
{
"query": {
"bool": {
"must_not": [
{
"query_string": {
"query": "checkout",
"default_field": "kubernetes.namespace"
}
},
{
"query_string": {
"query": "cart",
"default_field": "kubernetes.namespace"
}
}
]
}
}
}
Just substitute your values
Or better yet use term query
GET logs-*/_search
{
"query": {
"bool": {
"must_not": [
{
"term": {
"winlog.event_data.SubjectUserName": {
"value": "*SVC"
}
}
},
{
"term": {
"winlog.event_data.TargetUserName": {
"value": "*testcacount"
}
}
}
]
}
}
}
and again leading * is not really good
system
January 15, 2024, 7:29pm
9
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.