OR search queries using Watchers

Bill.S.Preston · February 25, 2019, 11:38am

I'm looking for a specific type of event. I have a query that I input into the discovery search that looks similar to below:

(event1 OR event2) AND (message1 OR message2 OR message3) AND message10

It works in Discovery with no issues but can't quite seem to get this working using Watchers. I can't figure out the logic. Can anyone assist?

baz · March 5, 2019, 4:18pm

I dont think this is an issue with watcher, persay. I think you are asking how to replicate a complex discover query in elasticsearch. Since i was unaware how discover transformed the query you write to an elasticsearch query, I turned on logging of all queries and made a somewhat complex query. Its not a complex as yours, but I think you can figure it out from here. I am using the sample shakespeare dataset.

First, to set your elasticsearch cluster to log queries,

% curl -H'content-type:application/json' -XPUT "http://localhost:9200/_settings" -d'
{
    "index.search.slowlog.threshold.query.debug": "0s"
}'

and I executed the following query in kibana

(Fifth OR Henry) AND whiles

and got the following logged (I have massaged the query output logged so its easier to read, removed all the \n etc...)

{
	"query": {
		"bool": {
			"filter": [{
				"bool": {
					"filter": [{
						"bool": {
							"should": [{
								"multi_match": {
									"query": "Fifth",
									"fields": [],
									"type": "best_fields",
									"operator": "OR",
									"slop": 0,
									"prefix_length": 0,
									"max_expansions": 50,
									"lenient": true,
									"zero_terms_query": "NONE",
									"auto_generate_synonyms_phrase_query": true,
									"fuzzy_transpositions": true,
									"boost": 1.0
								}
							}, {
								"multi_match": {
									"query": "Henry",
									"fields": [],
									"type": "best_fields",
									"operator": "OR",
									"slop": 0,
									"prefix_length": 0,
									"max_expansions": 50,
									"lenient": true,
									"zero_terms_query": "NONE",
									"auto_generate_synonyms_phrase_query": true,
									"fuzzy_transpositions": true,
									"boost": 1.0
								}
							}],
							"adjust_pure_negative": true,
							"minimum_should_match": "1",
							"boost": 1.0
						}
					}, {
						"multi_match": {
							"query": "whiles",
							"fields": [],
							"type": "best_fields",
							"operator": "OR",
							"slop": 0,
							"prefix_length": 0,
							"max_expansions": 50,
							"lenient": true,
							"zero_terms_query": "NONE",
							"auto_generate_synonyms_phrase_query": true,
							"fuzzy_transpositions": true,
							"boost": 1.0
						}
					}],
					"adjust_pure_negative": true,
					"boost": 1.0
				}
			}],
			"adjust_pure_negative": true,
			"boost": 1.0
		}
	}
}

And once you have done this, you can apply a query like that to a watcher search input and get what you want. Just dont forget to turn the query logging back to a sane value once you have finished!

system · April 2, 2019, 4:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.