How to find a missing word in elastic search query

Jude_Jerome · February 13, 2023, 5:45am

Hello Team,

I have a 100 + applications which sending logs daily. I want to filter out the application which does not have a specific word. For example if a application log does not have success keyword then i need to filter that.

I can able to search with success as keyword and get results.

I heard there was a option about missing query which is not available now.

Any inputs ?

carly.richmond · February 13, 2023, 9:45am

Hi @Jude_Jerome,

To confirm, are you looking for logs where a particular word doesn't exist in a given field. Would using must_not help you?

Jude_Jerome · February 15, 2023, 5:38am

Hello Carly,

I am using must query to filter out the applications, from that applications i need to find out the what are application logs does not have specific word. For example 50 applications log files are processed with message stated "Done" . I need to filter out what are the applications have "Done"and what are those does not have "Done". word in the applications.

carly.richmond · February 15, 2023, 12:53pm

Hi @Jude_Jerome ,

Thanks for confirming. Can you share the query you are using currently?

Jude_Jerome · February 16, 2023, 4:54am

Hello Carly,

Please find the query,

GET application_stream/_search?size=0
{
  "query": {
    "bool": {
      "must": [
        {
          "terms": {
            "applicationname.keyword": [
              "Dexapplica",
              "Foxaplica",
              "applicationfive",
              "app",
              "Dfhjju",
              "testapplica",
              "Devapplica",
              "prodapplica",
              "prepord",
              "Clarifica",
              "Dayapplica",
              "Logapplica",
              "testcase",
              "Procesapplica"
            ]
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "now-30m",
              "lte": "now"
            }
          }
        },
       {
          "match_phrase_prefix": {
            "message": "Log query made progress*"
          }
        }
      ]
    }
  },
  "aggs": {
    "application": {
      "terms": {
        "field": "applicationname.keyword"
      },
      "aggs": {
        "documents": {
          "value_count": {
            "field": "applicationname.keyword"
          }
        }
      }
    }
  }
}

carly.richmond · February 16, 2023, 10:12am

Thanks for that. Are you able to run two queries to get those that are not done separate from those that are done?

Jude_Jerome · February 16, 2023, 5:42pm

Hello Carly,

I haven’t tried that one. Will you be able to suggest how to achieve atleast with separate query.

Jude_Jerome · February 20, 2023, 7:06am

Hello Carly,

GET index/_search?size=0
{
  "query": {
    "bool": {
      "must_not": {
        "match": {
          "message": "Sucess*"
        }
      }
    }
  }
}

The above query works but I am trying to get the same result in one query instead of separate.

system · March 20, 2023, 7:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.