Multiple filter for query not working as expected

Elastic Stack Elasticsearch
1

We are using elasticsearch as backend for our Wazuh cluster, i am trying to filter our results which contain values from "filter 01" and exclude results from "filter 02" however it looks its not working and showing results for one which contain "filter 02" too!

I need values which contain rule.id = 100018 AND exclude one which do not contain rule.id = 100017

{
  "aggs": {
    "2": {
      "terms": {
        "field": "agent.name",
        "order": {
          "_count": "desc"
        },
        "size": 500
      }
    }
  },
  "size": 0,
  "script_fields": {},
  "stored_fields": [
    "*"
  ],
  "runtime_mappings": {},
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "exists": {
            "field": "agent.name"
          }
        },
        {
          "match_phrase": {
            "rule.id": "100018"
          }
        },
        {
          "range": {
            "timestamp": {
              "format": "strict_date_optional_time",
              "gte": "2023-06-06T03:57:15.412Z",
              "lte": "2023-06-07T03:57:15.412Z"
            }
          }
        }
      ],
      "should": [],
      "must_not": [
        {
          "match_phrase": {
            "rule.id": "100017"
          }
        }
      ]
    }
  }
}

The request seems to be fine however i am failing to understand why its not filtering out the results as expected.

UI

image
image1361×76 8.09 KB

2

Hi,

I suppose a simple ruleId:"your id" in serach bar should pick up only that data in discover.

3

I am trying to add results which match the filter 100018 and negate the one which have rule.id 100017

The resulting subset should have only data which found rule.id = 100018 and not which had rule.id = 100017 in them.

This way i am trying report on a subset of data

4

This may be considered resolved, i pulled the data using Elasticsearch API and used scripting to find delta from last run.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.