How to set filter to check for multiple conditions?

Aswin_Francis · November 14, 2017, 5:52am

I want to add a filter to my existing saved search where I want hide message based on source_name and event_id. So basically if source_name=Microsoft-Windows-Perflib and event_id=1008 then it should display on the discover page.
{
"query": {
"match": {
"source_name": {
"query": "Microsoft-Windows-Perflib",
"type": "phrase"
}
}
}
}

The above filter i added just uses the source name. Can some one help me add filter based on two conditions? I am not given a lot of time to sort few things and i might add more questions as i work in this

amolagnihotri · November 14, 2017, 7:00am

You can try this ...

{
"query": {
"bool": {
"should": [
{"match": {"source_name": {"query": "Microsoft-Windows-Perflib", "type": "phrase"} } },
{"match": {"source_name": {"query": "event_id=1008", "type": "phrase"} } }
]}
}
}

Aswin_Francis · November 14, 2017, 7:07am

Thank you so much!!! Does Kibana have a list of generic windows error that can be ignored instead of manually creating filter?

Aswin_Francis · November 14, 2017, 12:34pm

Andi think you meant:
{
"query": {
"bool": {
"should": [
{"match": {"source_name": {"query": "Microsoft-Windows-Perflib", "type": "phrase"} } },
{"match": {"event_id": {"query": "1008", "type": "phrase"} } }
]}
}
}

system · December 12, 2017, 12:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.