Error: bool query does not support [must-not]

eeivin · May 8, 2016, 3:23pm

I get the following error when running the watcher:

"status": "failure"
"reason": "SearchPhaseExecutionException[all shards failed]; nested: QueryParsingException[bool query does not support [must-not]]; "

Would appreciate your help

Thank you,
Eric

{"watch" :
"trigger" : {
"schedule" : { "interval" : "300s" }
},
"input" : {
"search" : {
"request" : {
"indices" : [ "<logstash-{now}>", "<logstash-{now-1d}>" ],
"body" : {
"query": {
"filtered": {
"query": {
"query_string": {
"query": "*",
"analyze_wildcard": true,
"fields": [
"json.message"
]
}
},
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gt": "now-300s"
}
}
},

                                      {
                                         "query": {
                                           "match": {
                                             "attrs.label_env": {
                                                "query": "prod"
                                              }
                                          }
                                        }
                                      },

                                      {
                                        "bool": {
                                            "should": [
                                                    {
                                                      "query": {
                                                        "match": {
                                                          "json.level": {
                                                            "query": "ERROR",
                                                            "type": "phrase"
                                                          }
                                                        }
                                                      }
                                                    },

                                                    {
                                                      "query": {
                                                        "match": {
                                                          "level": {
                                                            "query": "ERR",
                                                            "type": "phrase"
                                                          }
                                                        }
                                                      }
                                                    }

                                            ]
                                          }
                                        }
                              ],

                              "must-not": [
                                   {
                                    "query": {
                                       "match": {
                                         "json.message": {
                                            "query": "requestID:digital-retrieve-policy-details,message:General error while calling Guidewire: 10001 - Workflow exception triggered.",
                                             "type": "phrase"
                                         }
                                      }
                                   }
                                 }
                             ]

                              
                            }
                          }
                        }
                      },
                      "fields": [
                        "@timestamp",
                        "attrs.label_env",
                        "attrs.label_app",
                        "json.requestId",
                        "json.message",
                        "json.level"
                      ]
                    }
                  }
          }
        }

spinscale · May 8, 2016, 4:34pm

Hey,

the exception is spot on. There is no such thing as a must-not query, that is part of a bool query. There is only a must_not query (with an underscore), see the bool query documentation

Always test your query, before inserting in your watch, so you know that it is valid. Makes it easier to spot watcher issues or query issues.

hope this helps.

--Alex

eeivin · May 8, 2016, 5:25pm

Got it. Thank you for your help.