Below is the query i have written in logstash config file
elasticsearch {
hosts => ["localhost:9200"]
index => "restricteddata"
query => "type:restricted AND acc_number:%{[acc_id]} AND corp_id:%{[corp_code]} || grp_number:%{[grp_id]}"
fields => { "restricted_status" => "restricted_ind" }
sort => "@timestamp:desc"
}
I'm getting this error while running the logstash config file
Failed to query elasticsearch for previous event {:index=>"restricteddata", :error=>"[400] {"error":{"root_cause":[{"type":"query_shard_exception","reason":"Failed to parse query [type:restricted AND acc_number:%{[acc_id]} AND corp_id:IL1 || grp_number:0000P7001]","index_uuid":"YEKt-5gDTkeQdT852iaJJA","index":"restricteddata"}],"type":"search_phase_execution_exception","reason":"all shards failed","phase":"query","grouped":true,"failed_shards":[{"shard":0,"index":"restricteddata","node":"5Bn2UJ10TjGoTdoRA5TdhA","reason":{"type":"query_shard_exception","reason":"Failed to parse query [type:restricted AND acc_number:%{[acc_id]} AND corp_id:IL1 || grp_number:0000P7001]","index_uuid":"YEKt-5gDTkeQdT852iaJJA","index":"restricteddata","caused_by":{"type":"parse_exception","reason":"Cannot parse 'type:restricted AND acc_number:%{[acc_id]} AND corp_id:IL1 || grp_number:0000P7001': Encountered \" \"]\" \"] \"\" at line 1, column 40.\r\nWas expecting:\r\n \"TO\" ...\r\n ","caused_by":{"type":"parse_exception","reason":"Encountered \" \"]\" \"] \"\" at line 1, column 40.\r\nWas expecting:\r\n \"TO\" ...\r\n "}}}}]},"status":400}"}
Please help me to fix this!!
Thanks