How to hide data from being counted/visualized?

rfc1925 · June 7, 2016, 7:59pm

Yes, i've searched here, the docs & google.

Elasticsearch 2.3.3 Logstash 2.3.2 Kibana 4.5.1

I want to hide content, specifically IP addresses from being analyzed in certain visualizations.

I see the logs hidden if I type "NOT src_ip:0.0.0.0"

I tried the below JSON in a visualization filter,
{
"must_not": [
{
"terms": {
"geoip.ip": "A.A.A.A"
}
},
{
"terms": {
"src_ip": "B.B.B.B"
}
}
]
}

And got:
Error: Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"search_parse_exception","reason":"Unexpected token START_ARRAY in [2].","line":1,"col":298}],"type":"search_phase_execution_exception","reason":"all shards failed","phase":"query","grouped":true,"failed_shards":[{"shard":0,"index":"logstash-2016.06.07","node":"_m4iiLiMTxaIuqBc3zPenw","reason":{"type":"search_parse_exception","reason":"Unexpected token START_ARRAY in [2].","line":1,"col":298}}]}}

What am I doing wrong?

shaunak · June 7, 2016, 9:48pm

I think you are missing the top-level bool query element. Try this:

{ "bool": { "must_not": [ { "terms": { "geoip.ip": "A.A.A.A" } }, { "terms": { "src_ip": "B.B.B.B" } } ] } }

rfc1925 · June 10, 2016, 12:18pm

I had the bool, but that still wasn't helping. I opted to try a different path. Which has worked.

thanks for the help.