Elasticsearch query

Elk_huh · November 5, 2021, 2:35pm

I cannot get this query to work. Note i cannot use the Filter field
i


GET /index-*/_search
{
  "query": {
          "term": {
        "result": "Reputation"
      },
    "range": {
      "@timestamp": {
        "gte": "now-50d",
        "lte": "now"
      }
    }

  }
}

warkolm · November 8, 2021, 12:02am

You will need to provide more information please.

Why do you think it doesn't work?
What are you expecting?
What do your documents look like?

Elk_huh · November 9, 2021, 5:57pm

I am getting this error , i am expecting documents back

{
  "error" : {
    "root_cause" : [
      {
        "type" : "parsing_exception",
        "reason" : "[terms] query does not support [rsa.misc.result]",
        "line" : 4,
        "col" : 28
      }
    ],
    "type" : "parsing_exception",
    "reason" : "[terms] query does not support [rsa.misc.result]",
    "line" : 4,
    "col" : 28
  },
  "status" : 400
}

dadoonet · November 9, 2021, 6:40pm

Could you provide a full recreation script as described in About the Elasticsearch category. It will help to better understand what you are doing. Please, try to keep the example as simple as possible.

A full reproduction script is something anyone can copy and paste in Kibana dev console, click on the run button to reproduce your use case. It will help readers to understand, reproduce and if needed fix your problem. It will also most likely help to get a faster answer.

Here the query you initially shared is incorrect. You must use a bool query.
The error message is not related by the query you shared. And it shows that your request is incorrect.

If you need help, provide details from where we can start to help.

Elk_huh · November 9, 2021, 8:05pm

This works

GET /filebeat-zscaler-*/_search
{
  "query": {
      "term": {
        "rsa.misc.filter": "Botnet Callback"
      }
  }
}

This works


GET /filebeat-zscaler-*/_search
{
  "query": {
    "range": {
      "@timestamp": {
        "gte": "now-50d",
        "lte": "now"
      }
    }
}
}

But this doesnt work

GET /filebeat-zscaler-*/_search
{
  "query": {
          "term": {
        "rsa.misc.filter": "Botnet Callback"
      },
    "range": {
      "@timestamp": {
        "gte": "now-50d",
        "lte": "now"
      }
    }
}
}

dadoonet · November 18, 2021, 3:06pm

If you want to have multiple queries, you need to use a bool query. See Boolean query | Elasticsearch Guide [7.15] | Elastic

system · December 16, 2021, 3:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.