Hi All , I am looking to create alert on Json log to match on any of the 3 job name with failed condition to check this condition every 70 min .
the alert is not working because of 2 reason.Preformatted text
1)the scheduled time on which I am trying to put range is not working ,as this time field is string in the Index .
2)if i run without the range and it returns me josn log with other job name which was failed so somehow the match combination is also not working :
would be grateful for any suggestion .
below is my query :
{
"size": 100,
"query": {
"bool": {
"filter": [
{
"match_all": {
"boost": 1
}
},
{
"bool": {
"should": [
{
"match_phrase": {
"LOGS.NAME.keyword": {
"query": "TASK_110067",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
},
{
"match_phrase": {
"LOGS.NAME.keyword": {
"query": "TASK_14404",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
},
{
"match_phrase": {
"LOGS.NAME.keyword": {
"query": "TASK_1440",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"minimum_should_match": "1",
"boost": 1
}
},
{
"match_phrase": {
"LOGS.STATE.keyword": {
"query": "FAILED",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
},
{
"range": {
"LOGS.SCHEDULED_TIME.keyword": {
"from": "now-70m",
"to": "now",
"include_lower": true,
"include_upper": true,
"format": "epoch_millis",
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"_source": {
"includes": [],
"excludes": []
},
"stored_fields": "*",
"docvalue_fields": [],
"script_fields": {},
"aggregations": {}
}