Question about query

Hello.

I have a problem with a query. I´m trying to add several fields and only one of them is permit.
QUERY='{"query":{"bool":{"must":[{"range":{"@timestamp":{"gte":"now-'$RELATIVE_START_TIME_TO_SEARCH'/d","lt":"now/d"}}},{"match_phrase_prefix":{"level":{"query"
:"Error"}}},{"bool":{"should":[{"match_phrase_prefix":{"log_name":{"query":"System"}}},{"match_phrase_prefix":{"level":{"query":"Security"}}}],"must_not":[{"match":{"message":"The default transaction resource mana
ger"}}],"minimum_number_should_match":1}}]}}}'

This is the query and mi question is: I want to add another "must_not" to don´t receive messages with these fields but only one must_not is permit. Could you Help me?.

Thanks.

Javier.

you can specifiy only one must_not clause, but as this field is an array, you can specifiy several queries inside of that like this (pseudocode)

"must_not" : [
  { first_query },
  { second_query }
]

Hi.
My problema is that with a must_not is working, but I add another more with a correct text it´s not running, ie:QUERY='{"query":{"bool":{"must":[{"range":{"@timestamp":{"gte":"now-'$RELATIVE_START_TIME_TO_SEARCH'/d","lt":"now/d"}}}, {"match_phrase_prefix":{"level":{"query":"Error"}}}, {"bool":{"should":[{"match_phrase_prefix":{"log_name":{"query":"System"}}},{"match_phrase_prefix":{"level":{"query":"Security"}}}],"must_not":[{"bool":{"should":[{"match":{"message":"Microsoft Antimalware has encountered"}},{"match":{"message":"Installation Failure"}}]}}],"minimum_number_should_match":1}}]}}}'
In addition.
Some idea?

I have these messages: "message":TEXT-A: " The default transaction resource manager on volume encountered anon-retryable error and could not start""message":TEXT-B: " Microsoft Antimalware has encountered an error trying to updatesignatures""message":TEXT-C: " Microsoft Antimalware has encountered an error trying to updatesignatures.\n \tNew Signature Version: \n \tPrevious Signature Version:1.253.923.0\n \tUpdate Source: Microsoft Update Server\n \tUpdate Stage" Run thequery:QUERY='{"query":{"bool":{"must":[{"range":{"@timestamp":{"gte":"now-'$RELATIVE_START_TIME_TO_SEARCH'/d","lt":"now/d"}}},{"match_phrase_prefix":{"level":{"query":"Error"}}},{"bool":{"should":[{"match_phrase_prefix":{"log_name":{"query":"System"}}},{"match_phrase_prefix":{"level":{"query":"Security"}}}],"must_not":[{"match":{"message":"TEXTA"}}],"minimum_number_should_match":1}}]}}}' Results of query:"message":"TEXT B""message":"TEXTC" Run the query QUERY='{"query":{"bool":{"must":[{"range":{"@timestamp":{"gte":"now-'$RELATIVE_START_TIME_TO_SEARCH'/d","lt":"now/d"}}},{"match_phrase_prefix":{"level":{"query":"Error"}}},{"bool":{"should":[{"match_phrase_prefix":{"log_name":{"query":"System"}}},{"match_phrase_prefix":{"level":{"query":"Security"}}}],"must_not":[{"match":{"message":"TEXTA"}},{"match":{"message":"TEXT B"}}],"minimum_number_should_match":1}}]}}}' Results of the query:No entries. What I haveto do to filter "TEXT A" and "TEXT B" and only get "TEXT C"?

I have these messages:

"message": TEXT-A: " The default transaction resource manager on volume encountered a non-retryable error and could not start"
"message": TEXT-B: " Microsoft Antimalware has encountered an error trying to update signatures"
"message": TEXT-C: " Microsoft Antimalware has encountered an error trying to update signatures.\n \tNew Signature Version: \n \tPrevious Signature Version: 1.253.923.0\n \tUpdate Source: Microsoft Update Server\n \tUpdate Stage"

Run the query:
QUERY='{"query":{"bool":{"must":[{"range":{"@timestamp":{"gte":"now-'$RELATIVE_START_TIME_TO_SEARCH'/d","lt":"now/d"}}},{"match_phrase_prefix":{"level":{"query":"Error"}}},{"bool":{"should":[{"match_phrase_prefix":{"log_name":{"query":"System"}}},{"match_phrase_prefix":{"level":{"query":"Security"}}}],"must_not":[{"match":{"message":"TEXT A"}}],"minimum_number_should_match":1}}]}}}'

Results of query:
"message":"TEXT B"
"message":"TEXT C"

Run the query
QUERY='{"query":{"bool":{"must":[{"range":{"@timestamp":{"gte":"now-'$RELATIVE_START_TIME_TO_SEARCH'/d","lt":"now/d"}}},{"match_phrase_prefix":{"level":{"query":"Error"}}},{"bool":{"should":[{"match_phrase_prefix":{"log_name":{"query":"System"}}},{"match_phrase_prefix":{"level":{"query":"Security"}}}],"must_not":[{"match":{"message":"TEXT A"}},{"match":{"message":"TEXT B"}}],"minimum_number_should_match":1}}]}}}'

Results of the query:
No entries.

What I have to do to filter "TEXT A" and "TEXT B" and only get "TEXT C"?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.