Must condition with OR condition

Chaitanya1 · January 17, 2019, 2:45pm

Hi Team,

I want to optimize the watcher scripts created. I created almost 21 scripts with different message patterns.
My aim is to reduce the number of scripts.

I want to change the must match pattern with OR condition.
"must": [
{
"match_phrase": {
"app.name": "mlm?-*"
}
},
{
"match_phrase": {
"level": "warn"
}
}
],
"must_not": [
{
"match_phrase": {
"logger_name": "org.hibernate.orm.deprecation"
}
},
{

However, i could observe that Must operates with AND logic. If i enter many must conditions , script checks for all conditions. My aim is to use OR logic.
Example - must "Account locked" or must "database connection lost" . Action (email) should be triggered if logs has any one of the message.

Please help. Thanks in advance.

madhan3396 · January 17, 2019, 4:34pm

Use should instead of must.

{
"query":{
	"bool":{
		"should":[
			{"term":{"AccountLocked":"true"}},
			{"term":{"DatabaseConnection":"lost"}}
		],
		"minimum_should_match" : 1
	}
}}

minimum_should_match = 1, says that either 1 termsquery in the should should satisfy.

Chaitanya1 · January 18, 2019, 5:52am

Thank you Madhan. I will try as you said and let you know the result.

Chaitanya1 · January 19, 2019, 5:56am

Hi Madhan,

I tried the Should clause in the script. However, the script is only searching for one term. When logs has both Account locked and Database connection lost. The alert is not showing the result with 2 details

Attached the script

Please let me know where exactly i am doing wrong.
{
"trigger": {
"schedule": {
"interval": "10m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"pc-prod*"
],
"types": ,
"body": {
"query": {
"bool": {
"should": [
{
"match": {
"message": "Heartbeat"
}
},
{
"match": {
"message": "DataSource"
}
}
],
"filter": {
"range": {
"@timestamp": {
"from": "now-10m",
"to": "now"
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"send_email": {
"email": {
"profile": "standard",
"attachments": {
"Error_Details": {
"data": {
"format": "json"
}
}
},
"priority": "high",
"to": [
"abc.com"
],
"subject": "MLM - PROD - {{ctx.payload.hits.hits._source.beat.hostname}} -or logic",
"body": {
"text": "Hi Team, \n\n {{ctx.payload.hits.hits._source.beat.hostname}} \n\n Please check attachment for more details \n\n Log Details:\nCount : {{ctx.payload.hits.total}}\n {{ctx.payload.hits.hits.0._source.message}}"
}
}
}
}
}

madhan3396 · January 21, 2019, 4:53am

Hi
Where is "minimum_should_match":1 in your part of query?

Try giving that too.

system · February 18, 2019, 4:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.