Must_not query is not working in Watcher

Hi,

I'm working on watcher and in the input section I'm writing the below query -

"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"filebeat*"
],
"types": ,
"body": {
"query": {
"bool": {
"must_not": [
{
"query_string": {
"default_field": "ipaddress",
"query": "10.6.0.10 OR 10.6.0.12 OR 10.6.0.15 OR 10.6.0.3 OR 10.6.10.10 OR localhost"
}
}
],
"filter": {
"range": {
"@timestamp": {
"gte": "now-1d"
}
}
}
}
}
}
}
}
},

In here I want an alert to be triggered when a new value instead of these values (10.6.0.10 OR 10.6.0.12 OR 10.6.0.15 OR 10.6.0.3 OR 10.6.10.10 OR localhost) is recorded in ipaddress field.

But it is not working accordingly!! Watcher is getting triggered when the given IPs(10.6.0.10 OR 10.6.0.12 OR 10.6.0.15 OR 10.6.0.3 OR 10.6.10.10 OR localhost) are recorded in ipaddress field, which is not expected.

Can you please help?

My complete watcher -

{
"trigger": {
"schedule": {
"interval": "1d"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"filebeat*"
],
"types": ,
"body": {
"query": {
"bool": {
"must_not": [
{
"query_string": {
"default_field": "ipaddress",
"query": "10.6.0.10 OR 10.6.0.12 OR 10.6.0.15 OR 10.6.0.3 OR 10.6.10.10 OR localhost"
}
}
],
"filter": {
"range": {
"@timestamp": {
"gte": "now-1d"
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"log": {
"logging": {
"level": "info",
"text": "WARNING"
}
},
"send_email": {
"email": {
"profile": "standard",
"priority": "high",
"to": [
"karan@ler.com"
],
"subject": "Database received",
"body": {
"text": "WARNING"
}
}
}
}
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.