Lucene query syntax won't work

Martin_Miloshev · February 10, 2022, 9:55am

Hi guys!
I am trying to specify a table which I want to meet an amount of logs of three fields.

for example:

metadata.environment: "prod" and metadata.component: "my-services" and level:"ERROR"

Unfortunately, i get no results.
If i remove the level field it wil be fine... but I want exactly to find the error logs in this component and this environment.

In the discover tab i get:

Expand your time range

One or more of the indices you’re looking at contains a date field. Your query may not match anything in the current time range, or there may not be any data at all in the currently selected time range. You can try changing the time range to one which contains data.

Any help will be appreciated, thanks!

spinscale · February 17, 2022, 8:45am

Hey Martin,

the only explanation without seeing any more details to me is that a field has beeb specified wrong - i.e. level instead of log.level - or that one field is not made searchable.

Do you care do share more details like a sample document along with the mapping, so that you could provide a fully reproducible example to test out and figure out what is wrong?

Thanks!

--Alex

Martin_Miloshev · February 17, 2022, 9:00am

Thanks, Alexander!

I found the issue that if you specify the "and" keyword with lower case it is not working.
should be like:
metadata.environment: "prod" AND metadata.component: "my-services" AND level:"ERROR"

Topic		Replies	Views
Simple and query Elasticsearch	2	340	March 26, 2013
Elasticsearch - query with 2 conditions Elasticsearch	3	1464	June 26, 2020
Query with more than one field Elasticsearch	7	649	July 23, 2020
Search documents with specific field value in time range Elasticsearch	1	692	February 1, 2020
Using logical AND query in Kibana Elasticsearch	3	1093	April 23, 2020

Lucene query syntax won't work

Expand your time range

Related topics