Exact match in the filter query

Hi friends,

I am making my python script to query es to search Linux syslog.

the script sends the following query.

{'query': {'bool': {'filter': [{'query_string': {'query': 'oom-killer AND exim'}}, {'range': {'@timestamp': {'time_zone': '+10:00', 'lte': 'now/d', 'gte': 'now-2d/d'}}}, {'term': {'host': ''}}]}}, 'size': 500, 'sort': [{'@timestamp': {'order': 'asc'}}, {'@timestamp': {'order': 'asc'}}]}

and I get the following 2 results.

2019-09-19 07:43:58.997: <22>Sep 19 07:43:57 relay1 exim[15865]: 2019-09-19 07:43:57 [15865] H=(WIN-PIBB3MI829B) []:56428 I=[]:25 incomplete transaction (connection lost) from <killer@com.au>

2019-09-19 09:41:55.642: <22>Sep 19 09:41:54 relay1 exim[24071]: 2019-09-19 09:41:54 [24071] 1iAja6-0006GF-Ir <= nagios@overthewire.com.au H=gen-111.111.111.someting.net (monitor.something.com) []:60354 I=[]:25 P=esmtps X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no S=1333 M8S=0 id=E1iAjZw-000AVV-Mf@monitor.something.com T="[RECOVERY] Killer Check on admin2.bne.overthewire.net.au is OK!" from nagios@something.com for team@monitor.something.com

I was expecting exact match of search word "oom-killer AND exim" in syslog message but results don't have word oom-killer but Killer and killer.
If I used term instead of query_string it would be exact match but you can't use AND, OR in term.

How can you make exact match query with AND/OR statement?

Thanks for your help in advance.

You can surround your search terms by quotes. So, search for:

"oom-killer" AND "exim"

Thanks abdon,
Yeah, now I can get expected results with "".

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.