Query that parses and works fine in ES, fails to parse/work in Watcher

Elastic Stack Kibana
1

Hi all,

I've ventured out to depths where I cannot reach the bottom.

I have a search that finds events from a standard winlogbeat index, where I look at events from a set of specific users, with the 'should' bool - because I'm looking for any one of them. That is bool-must'ed together with a time range, like this;

{
  "query": {
    "bool": {
      "must": {
        "bool": {
          "should": [
            {
              "match_phrase": {
                "event_data.TargetUserName": {
                  "query": "user-a"
                }
              }
            },
            {
              "match_phrase": {
                "event_data.TargetUserName": {
                  "query": "user-b"
                }
              }
            },
            {
              "match_phrase": {
                "event_data.TargetUserName": {
                  "query": "user-c"
                }
              }
            }
          ]
        }
      },
      "must": {
        "range": {
          "@timestamp": {
            "gte": "now-30m"
          }
        }
      }

    }
  }
}

And it works as I'd like it to, I can validate the results, and I'm very happy about it. :slight_smile:

However, having created some watchers where I replace my 'query' section of the standard watcher template, I've not been able to get above to work, as it doesn't parse in the Watcher JSON editor; the second 'must' keyword gives me a:

Duplicate key "must"

duplicate_key_must_watcher

Which puzzles me, as the query works when run from ie. the developer console; but the same query as search input to watcher doesn't work.

So either I'm doing it very wrong entirely (which is my guess), which happens to work outside Watcher, or (less likely) something is off with watcher.

:slight_smile:

I hope someone can point out what I'm doing wrong.

The full content of my watcher editor (Kibana/Elasticsearch 5.6.14);

{
  "trigger": {
    "schedule": {
      "interval": "30m"
    }
  },
  "input": {
    "search": {
      "request": {
        "body": {
          "size": 0,
          "query": {
    "bool": {
      "must": {
        "bool": {
          "should": [
            {
              "match_phrase": {
                "event_data.TargetUserName": {
                  "query": "user-a"
                }
              }
            },
            {
              "match_phrase": {
                "event_data.TargetUserName": {
                  "query": "user-b"
                }
              }
            },
            {
              "match_phrase": {
                "event_data.TargetUserName": {
                  "query": "user-c"
                }
              }
            }
          ]
        }
      },
      "must": {
        "range": {
          "@timestamp": {
            "gte": "now-30m"
          }
        }
      }

    }
  }
        },
        "indices": [
          "winlogbeat-*"
        ]
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 1
      }
    }
  },
  "actions": {
    "my-logging-action": {
      "logging": {
        "text": "There are {{ctx.payload.hits.total}} documents in your index. Threshold is 10."
      }
    }
  }
}
2

Hi @mje,

I guess the proper syntax would be "must" : [{...1st...}, {...2nd....}], see 2 'musts' in 1 bool illegal? and Elasticsearch bool query formation with multiple must clause.

Best,
Oleg

3

That did it, thank you so much. :smiley:

However, I'm still surprised that it works in std. dev console/curl. :neutral_face:

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.