In chain seach, I use my first aggs result as the input for second chain. Follow the example here:
"terms": { "process_host": [ "{{#ctx.payload.started_processes.aggregations.process_hosts.buckets}}{{key}}", "{{/ctx.payload.started_processes.aggregations.process_hosts.buckets}}" ] }
this snippet always return the empty element at the end, this is the result:
"reason": "SearchPhaseExecutionException[all shards failed]; nested: QueryShardException[failed to create query: {\n \"bool\" : {\n \"must\" : [\n {\n \"terms\" : {\n \"src_ip\" : [\n \"172.16.36.32\",\n \"172.16.36.33\",\n \"172.16.36.64\",\n \"\"\n ],\n \"boost\" : 1.0\n }\n },\n {\n \"term\" : {\n \"switch_error\" : {\n \"value\" : \"%SEC_LOGIN-4-LOGIN_FAILED\",\n \"boost\" : 1.0\n }\n }\n }\n ],\n \"disable_coord\" : false,\n \"adjust_pure_negative\" : true,\n \"boost\" : 1.0\n }\n}]; nested: IllegalArgumentException['' is not an IP string literal.]; ",
my src_ip aggs returns 3 IPs. How to make it right?