Hello guys, hope you are doing well and healthy.
Im having a little trouble using DSL querys.
My objective is this:
I want to trigger an event that,
the action must be "UserLoggedIn",
the country must NOT be Portugal, and i also want to add some exceptions.
The following query actually works, but i dont know, or i cant add some of the exceptions i want.
So, imagine, i dont want to trigger if the user is "john@hotmail.com" and the country is "Germany". with the following query im not triggering any kind of logs from "john@hotmail.com", and i need to add inside each exception, the country verification.
And if there was an event from "john@hotmail.com" and the country "Spain", the event would still trigger. Thats what i mean.
Let me know if my explanation is not clear.
My query:
"body": {
"query": {
"bool": {
"must": [
{
"match": {
"event.action": "UserLoggedIn"
}
},
{
"range": {
"logstash_processed_at": {
"gte": "now-1m",
"lte": "now"
}
}
}
],
"must_not": [
{
"match": {
"geoip.country_name": "Portugal"
}
},
{
"match": {
"user.id": "john@hotmail.com"
}
},
{
"match": {
"user.id": "michael@hotmail.com"
}
},
{
"match": {
"user.id": "william@hotmail.com"
}
}
]
}
}
I have already read some of the documentation, in order to understand. and i didnt found yet something that would fill my requirements. If there is something that i must read before doing this, i'm open to it!
Thank you so much for your help 