How can I add a second exist query?

Elastic Stack Elasticsearch
1

Hi,

I got this query which is working fine but instead of only checking for the error field I want to check for error or warning so the documents where either the error field or warning field exists, are returned.

GET /_search
{
  "size": 1000,
  "sort": [
              {
                "@timestamp": {
                  "order": "desc"
                }
              }
            ],
  "query": {
    "bool": {
      "must": [
        {
          "range": {
          "@timestamp" : { 
                "gte" : "now-3d"
            }
           }
          },
        {
          "bool": {
            "must": {
              "exists": {
                "field": "error"
              }
            }
          }
        }
      ]
    }
  }
}
2

You can do it like this:

{
  "size": 1000,
  "sort": [
    {
      "@timestamp": {
        "order": "desc"
      }
    }
  ],
  "query": {
    "bool": {
      "filter": [
        {
          "range": {
            "@timestamp": {
              "gte": "now-3d"
            }
          }
        }
      ],
      "minimum_should_match": 1,
      "should": [
        {
          "exists": {
            "field": "error"
          }
        },
        {
          "exists": {
            "field": "warning"
          }
        }
      ]
    }
  }
}
3

Thanks, that works like a charm.

I can see where I went wrong, everything should be in the same filter.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.