How to use AND operator inside Match

Hi
I am using dev Tools , Bellow Query works fine in Kibana Discover

log.file.path:*MY.log*    AND "[COMMAND:HEARTBEAT]"  AND "[CHARGING:0]"

but when i am doing the same in Dev tools, its only taking the HEARTBEAT but its showing all data where Charging 0 and 1, but I just need 0


GET filebeat-*/_search
 {
  "size": 1000,
  "query": {
    
   "bool": {
      "must": [
        {"match": { "log.file.path":"MYlog"}},
        {"match": { "message": "'[COMMAND:HEARTBEAT]' AND '[CHARGING:0]'"}}   
      
          
		    
        
      ],
      "filter": {
        "range": {
          "@timestamp": {
          "gte": "now-15m"
         
      }
        }
      }
    }
           
  
  }
}	

Thanks for the help

You need to specify operator in separate field.
Do you seek here in two fields? If that is the case, you need to use multi_match
If you want to stick with boolean query, try must and must not CHARGING:1

GET filebeat-*/_search
 {
  "size": 1000,
  "query": {
    
   "bool": {
      "must": [
        {"match": { "log.file.path":"MYlog"}},
        {"match": { "message": "'[COMMAND:HEARTBEAT]' AND '[CHARGING:0]'"}}   
      
          
		    
        
      ],
      "filter": {
        "range": {
          "@timestamp": {
          "gte": "now-15m"
         
      }
        }
      }
    }
           
  
  }
}	

hi Thanks

My Logs are like this


[COMMAND:HEARTBEAT],[GPS STATUS:true],[INFO:false],[SIGNAL:false],[ENGINE:0],[DOOR:0],[LON:0],[LAT:0],[SPEED:0.0],[HEADING:-1.0],[BATTERY:100.0%],[CHARGING:0]


[COMMAND:HEARTBEAT],[GPS STATUS:true],[INFO:false],[SIGNAL:false],[ENGINE:0],[DOOR:0],[LON:0],[LAT:0],[SPEED:0.0],[HEADING:-1.0],[BATTERY:100.0%],[CHARGING:1]
```
so How do i set it ?  I need record where [COMMAND:HEARTBEAT] AND [CHARGING:0]  , I dont need the logs where [COMMAND:HEARTBEAT] AND [CHARGING:1]

Thanks

@Fosiul_Alam do you have it in separate fields or this is one "message" field?

Hi
i am using logstash so i am same log in 2 different way

{
  "_index": "filebeat-7.2.0-2019.09.14",
  "_type": "_doc",
  "_id": "Aps9MW0BBmrGS9dAswgZ",
  "_version": 1,
  "_score": null,
  "_source": {
    "ecs": {
      "version": "1.0.0"
    },
    "@version": "1",
    "message": "[COMMAND:HEARTBEAT],[GPS STATUS:true],[INFO:false],[SIGNAL:false],[ENGINE:0],[DOOR:0],[LON:0],[LAT:0],[SPEED:0.0],[HEADING:-1.0],[BATTERY:100.0%],[CHARGING:0],[O&E:CONNECTED]",
	
	
	"GPS-LOG": {
      "O&E": "CONNECTED",
      "GPS POS": "true",
      "ENGINE": "0",
      "COMMAND": "HEARTBEAT",
      "GSM_SIGNAL": "75",
      
      "CHARGING": "0",
      "HEADING": "-1.0",
      "FUEL": "0.0V/0.0%",
      "SPEED": "0.0",
      "GPS STATUS": "true",
      "ALARM": "NONE",
      "BATTERY": "100.0%",
      "TIMESTAMP": "null",
      "LON": "0",
      "LAT": "0",
      "DOOR": "0",
      "SERIAL": "1670",
      "SIGNAL": "false",
      "INFO": "false",
      "GPS_SATS": "11"
    },
	```

from this 2 type of logs, Which ever is Easy to get.
my Real logs from server is like this 
18:15:53,909 DEBUG [com.] (default-threads - 57) (338)>[TIMESTAMP:Sun Sep 15 18:15:53 UTC 2019],[COMMAND:INFO],[GPS STATUS:true],[INFO:true],[SIGNAL:false],[ENGINE:0],[DOOR:0],[LON:90],[LAT:23],[SPEED:0.0],[HEADING:240.0],[BATTERY:83.0%],[CHARGING:0],[O&E:CONNECTED],[GSM_SIGNAL:100],[GPS_SATS:8],[GPS POS:true],[FUEL:0.0V/0.0%],[ALARM:NONE],[SERIAL:03AA]

Thanks

@Fosiul_Alam I would try something like that:

GET / filebeat-7.2.0-2019.09.14/_search
{
"query": {
  "bool": {
    "must": [
      {
        "match": {
          "command": "heartbeat"
        }
      }
    ],
    "must_not": [
      { 
        "match": {
       "charging": "1"
      }
      }
    ]
  }
}
}

Hi
this giving every log ...
nothing related to only logs where
[COMMAND:HEARTBEAT] AND [CHARGING:0]

Hi
By using Term, I am able to get the result
Thanks

1 Like

Nice to see you've done that :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.