Kibana multiple query is not allowed

111316 · April 13, 2020, 6:25pm

Hello!

To use multiple queries as below, an error occurs.
Please tell me how to use 2 IP bands.

{
"query": {
"bool": {
"should": [
{
"match_phrase": {
"flow.dst_addr": {"gte": "1.1.1.1", "lt": "1.1.1.254"}}
},
{
"match_phrase": {
"flow.dst_addr": {"gte": "2.2.2.1", "lt": "2.2.2.254"}
}
}
],
"minimum_should_match": 1
}
}
}

※ Error in visualization

[esaggs] > Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"parsing_exception","reason":"[match_phrase] query does not support [gte]","line":1,"col":1475}],"type":"parsing_exception","reason":"[match_phrase] query does not support [gte]","line":1,"col":1475},"status":400}

lukas · April 14, 2020, 10:33pm

You can use a KQL expression similar to this:

(flow.dst_addr >= 1.1.1.1 and flow.dst_addr < 1.1.1.254) or (flow.dst_addr >= 2.2.2.1 and flow.dst_addr < 2.2.2.254)

Luca_Belluccini · April 15, 2020, 12:17am

@lukas is right.

In DSL, you might want to use:

GET myindex/_search
{
  "query": {
    "bool": {
      "should": [
        {
          "range": {
            "flow.dst_addr": {
              "gte": "1.1.1.1",
              "lt": "1.1.1.254"
            }
          }
        },
        {
          "range": {
            "flow.dst_addr": {
              "gte": "2.2.2.1",
              "lt": "2.2.2.254"
            }
          }
        }
      ],
      "minimum_should_match": 1
    }
  }
}

Or:

GET myindex/_search
{
  "query": {
    "bool": {
      "should": [
        {
          "term": {
            "flow.dst_addr": "1.1.1.1/24"
          }
        },
        {
          "term": {
            "flow.dst_addr": "2.2.2.1/24"
          }
        }
      ],
      "minimum_should_match": 1
    }
  }
}

system · May 13, 2020, 12:17am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.