Hi Gurus,
Here is a scenario:
I have set up an alert based upon a keyword " Spamhaus", to check logs every hour.
It is working fine.
BUT,
I want exclude any logs if Keywords comes in with "(Spamhaus/Invaluement/ReturnPath)" in this format.
Based upon my regex i am using "pamhaus" to handle both capital "S" and small "s" in "Spamhaus keyword"
I am trying to look for a filter to further discard any results with keyword "(Spamhaus/Invaluement/ReturnPath)".
How to make this possible?
Here is my watcher code:
"body": {
"query": {
"boosting": {
"positive": {
"query_string": {
"query": "textFromISP: pamhaus"
}
},
"negative": {
"query_string": {
"query": "textFromISP: /Invaluement"
}
},
"negative_boost": 0.5,
"filter": {
"range": {
"@timestamp": {
"from": "now-6h",
"to": "now"
}
Please help.
Here is the output:
"result": {
"execution_time": "2019-10-01T12:19:00.066Z",
"execution_duration": 0,
"input": {
"type": "search",
"status": "failure",
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "[boosting] query does not support [filter]",
"line": 1,
"col": 177
}
],
"type": "parsing_exception",
"reason": "[boosting] query does not support [filter]",
"line": 1,
"col": 177
},
Thanks,
Sonal