Hi,
I'm able to use "Match" queries to match single words and "match_phrase" to match exactly on a complete string. This is great and working for 80% of the matches I'm looking for with Watcher/ES.
The last 20% of the queries I need to watch for are regular expression based. For example:
LINK-5-CHANGED.*reset
LINK-5-CHANGED.*administratively
They're very similar but I'm unable to get any query to match just one message. Match_phrase won't even see it.
If i add this message to syslog via logger - "logger -p auth.notice LINK-5-CHANGED and about to be reset", this feeds into ES and when i run the watch, both my "match" queries for both of the expressions above match and send an email.
Is anyone able to help me to match on this regular expressions and how best to do it? I did see you could override the operator and change it to AND when using the "match" query but I don't think it works with the way I've written my code.
Here is a snippet of my code:
},
"input": {
"search": {
"request": {
"indices": [ "logstash-*" ],
"body": {
"query": {
"filtered": {
"query": {
"match": {"message": "LINK-5-CHANGED.*reset"}
},
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-16s"
}
}
}
]
}
}
}
}
}
}
}
},
Thanks for any help you can give me.
Regards
Dennis