Hello everyone,
I am building a search query which dynamically adds a set of constraints (bool) to the query. The general expected structure is as follows
OR (
AND (
condition
condition
...
)
AND (
condition
condition
...
)
)
In other words I have a set (one or more) of conditions which must all be met (AND above). There may be several of such sets, any of them should be enough for the final match (the OR above).
An example of such structure, as generated by my code (this is the full API query, the generated part is "bool"). It is available online for easier reading
{
"query": {
"bool": {
"must": [
{
"bool": {
"should": [
{
"bool": {
"must": [
{
"term": {
"attack_ip": "10.89.7.117"
}
},
{
"term": {
"sentinel_port": "17"
}
}
]
}
},
{
"bool": {
"must": [
{
"term": {
"attack_ip": "10.89.7.118"
}
}
]
}
}
]
}
},
{
"range": {
"eventtime": {
"gte": "2018-03-05T13:55:27.927+01:00"
}
}
}
]
},
"size": 0,
"aggs": {
"src": {
"terms": {
"field": "attack_ip",
"size": 1000
},
"aggs": {
"dst": {
"terms": {
"field": "sentinel_hostname_lan",
"size": 2000
}
}
}
}
}
}
}
My understanding of this query was:
- if
"attack_ip === 10.89.7.117"and"sentinel_port === 17"- or
- if
"attack_ip === 10.89.7.118"AND
- match the
range
the entry will match
Unfortunately I get upon calling Elasticsearch the error
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "[bool] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 1,
"col": 177
}
],
"type": "parsing_exception",
"reason": "[bool] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 1,
"col": 177
},
"status": 400
}
What does this error mean?
(initially asked on SO)