Finding whole terms

jnpetty · January 4, 2018, 2:43am

I am having trouble setting up a watcher so it looks for a whole term instead of individual words. For example if I had a message that contained "The red hat hung on the hook" and wanted watcher to send an email every time it found the words "red hat". Not "red" or "hat" or "hat red", I only want "red hat". How would I setup the input.

Currently I have something similar to the following:

  "input": {
    "search": {
      "request": {
        "indices": [
          "red-hat-index-*"
        ],
        "body": {
          "query": {
            "bool": {
              "must": [
                {
                  "query_string": {
                    "query": "red hat"
                  }
                },
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-10m"
                    }
                  }
                }
              ]
            }
          },
          "_source": [
            "message"
          ],
          "sort": [
            {
              "@timestamp": {
                "order": "desc"
              }
            }
          ]
        }
      }
    }
  }

What am I missing in this input??

Bonus question, what if I wanted to find all messages with "red hat", but only the ones where the field "type" is equal to "red_hat_logs"?

Thanks!

spinscale · January 4, 2018, 9:18am

Please take the time to format your messages properly, this JSON is super hard to read and markdown has excellent support for code snippets.

This is actually not a watcher issue, but rather a question how to write a proper query in the first place. You may want to read about phrase queries in the query_string query how to make this works.

On top of that you can specify the type you want to query as part of the search input.

Hope this helps!

--Alex

jnpetty · January 4, 2018, 4:11pm

The link you provided isnt clicking in my head. At the top of page it says that it will treat "field:new york AND city" as splited terms"new", "york" and "city"

But at the bottom is contradicts that by saying author:"John Smith" will treat it as the exact phrase. So this isnt making sense.

spinscale · January 5, 2018, 8:01am

it depends if you are using double ticks or not. If you do, the query will become a phrase query.

system · February 2, 2018, 8:01am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.