Brian-cf1
November 22, 2023, 4:32pm
1
How do i exclude multiple keywords from a field ?
I need the following logic but its not letting me include 2 wild cards
"must_not": [
{
"wildcard": {
"error.message": {
"value": "*headers*"
}
},
"wildcard": {
"error.message": {
"value": "*refused*"
}
}
Code currently at
"query": {
"bool": {
"must": [
{
"term": {
"monitor.status": {
"value": "down"
}
}
}
],
"must_not": [
{
"wildcard": {
"error.message": {
"value": "*headers*"
}
}
}
],
"filter": [
{
"range": {
"@timestamp": {
"from": "now-7d"
}
}
}
]
}
},
Hi @Brian-cf1 ,
Which version of Elasticsearch are you using? Are you receiving a particular error in your prior query.
I managed to get the below working on 8.11:
GET test_index/_search
{
"query": {
"bool": {
"must": [
{
"term": {
"monitor.status": {
"value": "down"
}
}
}
],
"must_not": [
{
"wildcard": {
"error.message": {
"value": "*headers*"
}
}
},
{
"wildcard": {
"error.message": {
"value": "*refused*"
}
}
}
],
"filter": [
{
"range": {
"@timestamp": {
"from": "now-7d"
}
}
}
]
}
}
}
Just be wary when using wildcard queries starting with * are not recommended as they can slow your query down, as covered in the documentation .
Brian-cf1
November 30, 2023, 2:31pm
3
This is how i found to exclude multiple strings
GET heartbeat-*/_search
{
"query": {
"bool": {
"must": [
{
"term": {
"monitor.status": {
"value": "down"
}
}
}
],
"must_not": [
{
"query_string" : {
"query" : "**refused* OR *header* OR *timeout* OR *missing* OR *401*",
"default_field" : "error.message"
}
}
]
}
}
}
Brian-cf1
November 30, 2023, 2:41pm
4
carly.richmond:
n using wildca
I was on 7.17 , maybe thats why it didnt work, it said duplicate wildcard fields , but i found a way!
1 Like
system
December 28, 2023, 2:42pm
5
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.