Logstash query against elastic returning unwanted field

I am exporting the metricbeat index from elastic using logstash.

I would like to exclude the service.type term docker from the output. I am using the following query:

            query => '{
                "query": {
                  "bool": {
                    "should":[{"term":{"service.type":"kubernetes"}},{"term":{"service.type":"prometheus"}},{"term":{"service.type":"system"}}],
                    "filter": [{"range": { "@timestamp": {"gte": "now-15m","lte": "now","format": "strict_date_optional_time||epoch_millis"}}}]
                  }
              }
            }'

So, the query above I am just including the service types that I want to see in the output index. However, in the resulting json output file, I am still seeing the service type docker.

    "max_score" : 0.8040674,
    "hits" : [
      {
        "_index" : "metricbeat-7.17.7-2023.04.04-000007",
        "_type" : "_doc",
        "_id" : "t4NRUIcBtJJ8K_62Ehkk",
        "_score" : 0.8040674,
        "_source" : {
          "@version" : "1",
          "service" : {
            "address" : "unix:///var/run/docker.sock",
            "type" : "docker"
          },

using the should clause for the service.type terms means it will return documents that match any of the listed terms but does not exclude the "docker" service type. elastic docs: Boolean query | Elasticsearch Guide [7.17] | Elastic

Please try and modify the query to include a must_not clause inside the bool query to exclude the docker service type

something like this...

      "must_not": [
        {"term": {"service.type": "docker"}}
      ],

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.