Hi All,
I am perfoming this query
{
"query": {
"bool": {
"must": [
{
"query_string": {
"analyze_wildcard": "false",
"query": "source_affiliate:nlmail AND (_exists_:tmngx_state OR _exists_:lock_reason OR _exists_:spamAction OR _exists_:mailUserStatus OR _exists_:mailQuota OR _exists_:mailbox_usage)"
}
},
{
"range": {
"@timestamp": {
"gte": "now-5m",
"lte": "now"
}
}
}
],
"must_not": []
}
}
}
But I am wondering if I write this the below part correctly.
source_affiliate:nlmail AND (_exists_:tmngx_state OR _exists_:lock_reason OR _exists_:spamAction OR _exists_:mailUserStatus OR _exists_:mailQuota OR _exists_:mailbox_usage)
I am trying the below notation aswell and that seems to give me the same result.
source_affiliate:nlmail AND _exists_:(tmngx_state OR lock_reason OR spamAction OR mailUserStatus OR mailQuota OR mailbox_usage)
I wonder which one is correct or are the both correct?
Regards,
Paul.