Hi friends,
I am making my python script to query es to search Linux syslog.
the script sends the following query.
{'query': {'bool': {'filter': [{'query_string': {'query': 'oom-killer AND exim'}}, {'range': {'@timestamp': {'time_zone': '+10:00', 'lte': 'now/d', 'gte': 'now-2d/d'}}}, {'term': {'host': '172.17.47.16'}}]}}, 'size': 500, 'sort': [{'@timestamp': {'order': 'asc'}}, {'@timestamp': {'order': 'asc'}}]}
and I get the following 2 results.
2019-09-19 07:43:58.997: 172.17.47.16: <22>Sep 19 07:43:57 relay1 exim[15865]: 2019-09-19 07:43:57 [15865] H=(WIN-PIBB3MI829B) [119.111.123.123]:56428 I=[119.111.123.123]:25 incomplete transaction (connection lost) from <killer@com.au>
2019-09-19 09:41:55.642: 172.17.47.16: <22>Sep 19 09:41:54 relay1 exim[24071]: 2019-09-19 09:41:54 [24071] 1iAja6-0006GF-Ir <= nagios@overthewire.com.au H=gen-111.111.111.someting.net (monitor.something.com) [119.111.123.123]:60354 I=[172.17.47.16]:25 P=esmtps X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no S=1333 M8S=0 id=E1iAjZw-000AVV-Mf@monitor.something.com T="[RECOVERY] Killer Check on admin2.bne.overthewire.net.au is OK!" from nagios@something.com for team@monitor.something.com
I was expecting exact match of search word "oom-killer AND exim" in syslog message but results don't have word oom-killer but Killer and killer.
If I used term instead of query_string it would be exact match but you can't use AND, OR in term.
How can you make exact match query with AND/OR statement?
Thanks for your help in advance.
ES7