Error: bool query does not support [must-not]

eeivin · May 8, 2016, 3:23pm

I get the following error when running the watcher:

"status": "failure"
"reason": "SearchPhaseExecutionException[all shards failed]; nested: QueryParsingException[bool query does not support [must-not]]; "

Would appreciate your help

Thank you,
Eric

{"watch" :
"trigger" : {
"schedule" : { "interval" : "300s" }
},
"input" : {
"search" : {
"request" : {
"indices" : [ "<logstash-{now}>", "<logstash-{now-1d}>" ],
"body" : {
"query": {
"filtered": {
"query": {
"query_string": {
"query": "*",
"analyze_wildcard": true,
"fields": [
"json.message"
]
}
},
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gt": "now-300s"
}
}
},

                                      {
                                         "query": {
                                           "match": {
                                             "attrs.label_env": {
                                                "query": "prod"
                                              }
                                          }
                                        }
                                      },

                                      {
                                        "bool": {
                                            "should": [
                                                    {
                                                      "query": {
                                                        "match": {
                                                          "json.level": {
                                                            "query": "ERROR",
                                                            "type": "phrase"
                                                          }
                                                        }
                                                      }
                                                    },

                                                    {
                                                      "query": {
                                                        "match": {
                                                          "level": {
                                                            "query": "ERR",
                                                            "type": "phrase"
                                                          }
                                                        }
                                                      }
                                                    }

                                            ]
                                          }
                                        }
                              ],

                              "must-not": [
                                   {
                                    "query": {
                                       "match": {
                                         "json.message": {
                                            "query": "requestID:digital-retrieve-policy-details,message:General error while calling Guidewire: 10001 - Workflow exception triggered.",
                                             "type": "phrase"
                                         }
                                      }
                                   }
                                 }
                             ]

                              
                            }
                          }
                        }
                      },
                      "fields": [
                        "@timestamp",
                        "attrs.label_env",
                        "attrs.label_app",
                        "json.requestId",
                        "json.message",
                        "json.level"
                      ]
                    }
                  }
          }
        }

spinscale · May 8, 2016, 4:34pm

Hey,

the exception is spot on. There is no such thing as a must-not query, that is part of a bool query. There is only a must_not query (with an underscore), see the bool query documentation

Always test your query, before inserting in your watch, so you know that it is valid. Makes it easier to spot watcher issues or query issues.

hope this helps.

--Alex

eeivin · May 8, 2016, 5:25pm

Got it. Thank you for your help.

Topic		Replies	Views
Why the bool query dose not work with filter query? Elasticsearch	3	2168	July 6, 2017
Elasticsearch watcher error for RANGE query Elasticsearch elastic-stack-alerting	3	7779	January 31, 2017
Query that parses and works fine in ES, fails to parse/work in Watcher Kibana elastic-stack-alerting	3	530	April 15, 2019
Must_not query is not working in Watcher Elasticsearch	1	651	August 26, 2019
X_content_parse_exception Elastic Search elastic-app-search	4	1309	February 2, 2024

Error: bool query does not support [must-not]

Related topics