Query notation question


(Pjanzen) #1

Hi All,

I am perfoming this query

{
  "query": {
    "bool": {
      "must": [
        {
          "query_string": {
            "analyze_wildcard": "false",
            "query": "source_affiliate:nlmail AND (_exists_:tmngx_state OR _exists_:lock_reason OR _exists_:spamAction OR _exists_:mailUserStatus OR _exists_:mailQuota OR _exists_:mailbox_usage)"
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "now-5m",
              "lte": "now"
            }
          }
        }
      ],
      "must_not": []
    }
  }
}

But I am wondering if I write this the below part correctly.

source_affiliate:nlmail AND (_exists_:tmngx_state OR _exists_:lock_reason OR _exists_:spamAction OR _exists_:mailUserStatus OR _exists_:mailQuota OR _exists_:mailbox_usage)

I am trying the below notation aswell and that seems to give me the same result.

source_affiliate:nlmail AND _exists_:(tmngx_state OR lock_reason OR spamAction OR mailUserStatus OR mailQuota OR mailbox_usage)

I wonder which one is correct or are the both correct?

Regards,
Paul.