Must_not with an exception

In basic terms, I have a current kibana alert and the query is set up to exclude all systems that have 800-999 in the hostname with the extraction query code below. That works fine.

However, I would I would like to exclude one system from that must_not, let's just say a system with 855 in the name. How can I exclude 800-999, but include 855?

            "must_not": [
                    "regexp": {
                        "host.hostname": {
                            "value": ".*[8-9][0-9][0-9].*",
                            "flags_value": 65535,
                            "max_determinized_states": 10000,
                            "boost": 1


My gut feeling tells me, that there might be a better and more performant solution than using a regexp query. Can you share a sample hostname/document and maybe we can find a more performant solution by indexing parts of the hostname into a dedicated field and then have fast queries?


Hi Alex, thanks for the response. Sample hostnames could be system801, system901, system123, but they could also be anything else. They could be abc100defg or hijklmnop. The query is saying exclude the specific systems that are system800-999, but anything else include.

As background there are probably 20+ alerts/queries that exist already, created by someone else that are set up similarly. My specific task is to allow system855 which falls in that range of 800-999 to be included in this one alert.

Curious if anyone has other potential suggestions on this one?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.