Need help in writing DSL

Elastic Stack Elasticsearch
1

I searched a lot but couldn't able to write a proper KQL. I am trying to search a string "error" in message field AND field kubernetes.pod.name must contain test-*

I tried this but it's not working

{
  "size": 1,
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "message": {
              "query": "error",
              "operator": "OR",
              "prefix_length": 0,
              "max_expansions": 50,
              "fuzzy_transpositions": true,
              "lenient": false,
              "zero_terms_query": "NONE",
              "auto_generate_synonyms_phrase_query": true,
              "boost": 1
            }
          }
        },
        {
          "match": {
            "kubernetes.pod.name": {
              "query": "test-*",
              "operator": "OR",
              "prefix_length": 0,
              "max_expansions": 50,
              "fuzzy_transpositions": true,
              "lenient": false,
              "zero_terms_query": "NONE",
              "auto_generate_synonyms_phrase_query": true,
              "boost": 1
            }
          }
        },
        {
          "range": {
            "@timestamp": {
              "from": "now-10000m",
              "to": null,
              "include_lower": true,
              "include_upper": true,
              "boost": 1
            }
          }
        }
      ],
      "adjust_pure_negative": true,
      "boost": 1
    }
  },
  "sort": [
    {
      "@timestamp": {
        "order": "desc"
      }
    }
  ]
}
2

Mapping of the field is

    "mappings" : {
          "kubernetes.pod.name" : {
            "full_name" : "kubernetes.pod.name",
            "mapping" : {
              "name" : {
                "type" : "keyword",
                "ignore_above" : 1024
              }
            }
          }
        }
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.