Nested bool queries return an error


#1

Hello everyone,

I am building a search query which dynamically adds a set of constraints (bool) to the query. The general expected structure is as follows

OR (

AND (
    condition
    condition
    ...
)

AND (
    condition
    condition
    ...
)

)

In other words I have a set (one or more) of conditions which must all be met (AND above). There may be several of such sets, any of them should be enough for the final match (the OR above).

An example of such structure, as generated by my code (this is the full API query, the generated part is "bool"). It is available online for easier reading

{
  "query": {
    "bool": {
      "must": [
        {
          "bool": {
            "should": [
              {
                "bool": {
                  "must": [
                    {
                      "term": {
                        "attack_ip": "10.89.7.117"
                      }
                    },
                    {
                      "term": {
                        "sentinel_port": "17"
                      }
                    }
                  ]
                }
              },
              {
                "bool": {
                  "must": [
                    {
                      "term": {
                        "attack_ip": "10.89.7.118"
                      }
                    }
                  ]
                }
              }
            ]
          }
        },
        {
          "range": {
            "eventtime": {
              "gte": "2018-03-05T13:55:27.927+01:00"
            }
          }
        }
      ]
    },
    "size": 0,
    "aggs": {
      "src": {
        "terms": {
          "field": "attack_ip",
          "size": 1000
        },
        "aggs": {
          "dst": {
            "terms": {
              "field": "sentinel_hostname_lan",
              "size": 2000
            }
          }
        }
      }
    }
  }
}

My understanding of this query was:

  • if "attack_ip === 10.89.7.117" and "sentinel_port === 17"
  • or
  • if "attack_ip === 10.89.7.118"

AND

  • match the range

the entry will match

Unfortunately I get upon calling Elasticsearch the error

"error": {
    "root_cause": [
      {
        "type": "parsing_exception",
        "reason": "[bool] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
        "line": 1,
        "col": 177
      }
    ],
    "type": "parsing_exception",
    "reason": "[bool] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
    "line": 1,
    "col": 177
  },
  "status": 400
}

What does this error mean?

(initially asked on SO)


#2

The error ended up being the query section encompassing the aggs one, while they should be at the same level.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.