GET logstash-audit-*/_search
{
"from": 0,
"size": 100,
"query": {
"bool": {
"must": [{
"bool": {
"should": [{
"term": {
"trans_iduid.raw": "test-000"
}
},
{
"term": {
"trans_idway_id.raw": 6
}
}
],
"minimum_number_should_match": 1
}
},
{
"bool": {
"should": [{
"term": {
"trans_id.raw": 3
}
},
{
"missing": {
"field": "trans_idraw"
}
}
],
"minimum_number_should_match": 1
}
}
],
"must_not": [{
"term": {
"internal_audit": true
}
}]
}
},
"_source": ["@timestamp", "trans_id"]
}
The easiest way is to just chuck it all inside a filter clause of another bool query:
GET logstash-audit-*/_search
{
"from": 0,
"size": 100,
"query": {
"bool": {
"filter": [
{
"bool": {
"must": [
{
"bool": {
"should": [
{
"term": {
"trans_iduid.raw": "test-000"
}
},
{
"term": {
"trans_idway_id.raw": 6
}
}
],
"minimum_number_should_match": 1
}
},
{
"bool": {
"should": [
{
"term": {
"trans_id.raw": 3
}
},
{
"missing": {
"field": "trans_idraw"
}
}
],
"minimum_number_should_match": 1
}
}
],
"must_not": [
{
"term": {
"internal_audit": true
}
}
]
}
}
]
}
},
"_source": [
"@timestamp",
"trans_id"
]
}
You could do some re-arranging, but that's the easiest way 
Thanks polyfractal, that helps, Only query is that , this should be faster than a query without filter, the one which i pasted above
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.