Query against a list of objects

Hello, we're currently using winlogbeat to send domain controller logs to Elasticsearch and I was wondering how I would query against a list of objects, for example a list of usernames. After looking into it I think I need to so something with 'terms queries' (https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-terms-query.html)

I did create a document with a list of usernames but couldn't figure out how to query against it, particularly whilst using Kibana with the winlogbeat-* index pattern - can anyone help with this?

Thanks.

I'm not sure about kibana, but you shouldn't need to create a document. You can use the list of terms.

If the list is short (like, less than 100) it is probably just fine to do a bunch of term queries in a should clause in a bool query. If you use the query_string query (which I think kibana does in that big text box) that'd look like (field:value | field:value | field:value).

Thanks for getting back to me; yes I suppose I could just create a list of query terms in the text box and save it. Just for the future though in case I do need to query against a large list of objects in a document, can you give me an example of such a query?

The Elasticsearch example is at the bottom of the page you linked. I'm not sure about kibana, sorry!

No worries thanks for getting back to me.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.