I have a problem with a query. I´m trying to add several fields and only one of them is permit.
QUERY='{"query":{"bool":{"must":[{"range":{"@timestamp":{"gte":"now-'$RELATIVE_START_TIME_TO_SEARCH'/d","lt":"now/d"}}},{"match_phrase_prefix":{"level":{"query"
:"Error"}}},{"bool":{"should":[{"match_phrase_prefix":{"log_name":{"query":"System"}}},{"match_phrase_prefix":{"level":{"query":"Security"}}}],"must_not":[{"match":{"message":"The default transaction resource mana
ger"}}],"minimum_number_should_match":1}}]}}}'
This is the query and mi question is: I want to add another "must_not" to don´t receive messages with these fields but only one must_not is permit. Could you Help me?.
Hi.
My problema is that with a must_not is working, but I add another more with a correct text it´s not running, ie:QUERY='{"query":{"bool":{"must":[{"range":{"@timestamp":{"gte":"now-'$RELATIVE_START_TIME_TO_SEARCH'/d","lt":"now/d"}}}, {"match_phrase_prefix":{"level":{"query":"Error"}}}, {"bool":{"should":[{"match_phrase_prefix":{"log_name":{"query":"System"}}},{"match_phrase_prefix":{"level":{"query":"Security"}}}],"must_not":[{"bool":{"should":[{"match":{"message":"Microsoft Antimalware has encountered"}},{"match":{"message":"Installation Failure"}}]}}],"minimum_number_should_match":1}}]}}}'
In addition.
Some idea?
I have these messages: "message":TEXT-A: " The default transaction resource manager on volume encountered anon-retryable error and could not start""message":TEXT-B: " Microsoft Antimalware has encountered an error trying to updatesignatures""message":TEXT-C: " Microsoft Antimalware has encountered an error trying to updatesignatures.\n \tNew Signature Version: \n \tPrevious Signature Version:1.253.923.0\n \tUpdate Source: Microsoft Update Server\n \tUpdate Stage" Run thequery:QUERY='{"query":{"bool":{"must":[{"range":{"@timestamp":{"gte":"now-'$RELATIVE_START_TIME_TO_SEARCH'/d","lt":"now/d"}}},{"match_phrase_prefix":{"level":{"query":"Error"}}},{"bool":{"should":[{"match_phrase_prefix":{"log_name":{"query":"System"}}},{"match_phrase_prefix":{"level":{"query":"Security"}}}],"must_not":[{"match":{"message":"TEXTA"}}],"minimum_number_should_match":1}}]}}}' Results of query:"message":"TEXT B""message":"TEXTC" Run the query QUERY='{"query":{"bool":{"must":[{"range":{"@timestamp":{"gte":"now-'$RELATIVE_START_TIME_TO_SEARCH'/d","lt":"now/d"}}},{"match_phrase_prefix":{"level":{"query":"Error"}}},{"bool":{"should":[{"match_phrase_prefix":{"log_name":{"query":"System"}}},{"match_phrase_prefix":{"level":{"query":"Security"}}}],"must_not":[{"match":{"message":"TEXTA"}},{"match":{"message":"TEXT B"}}],"minimum_number_should_match":1}}]}}}' Results of the query:No entries. What I haveto do to filter "TEXT A" and "TEXT B" and only get "TEXT C"?
"message": TEXT-A: " The default transaction resource manager on volume encountered a non-retryable error and could not start"
"message": TEXT-B: " Microsoft Antimalware has encountered an error trying to update signatures"
"message": TEXT-C: " Microsoft Antimalware has encountered an error trying to update signatures.\n \tNew Signature Version: \n \tPrevious Signature Version: 1.253.923.0\n \tUpdate Source: Microsoft Update Server\n \tUpdate Stage"
Run the query:
QUERY='{"query":{"bool":{"must":[{"range":{"@timestamp":{"gte":"now-'$RELATIVE_START_TIME_TO_SEARCH'/d","lt":"now/d"}}},{"match_phrase_prefix":{"level":{"query":"Error"}}},{"bool":{"should":[{"match_phrase_prefix":{"log_name":{"query":"System"}}},{"match_phrase_prefix":{"level":{"query":"Security"}}}],"must_not":[{"match":{"message":"TEXT A"}}],"minimum_number_should_match":1}}]}}}'
Results of query:
"message":"TEXT B"
"message":"TEXT C"
Run the query
QUERY='{"query":{"bool":{"must":[{"range":{"@timestamp":{"gte":"now-'$RELATIVE_START_TIME_TO_SEARCH'/d","lt":"now/d"}}},{"match_phrase_prefix":{"level":{"query":"Error"}}},{"bool":{"should":[{"match_phrase_prefix":{"log_name":{"query":"System"}}},{"match_phrase_prefix":{"level":{"query":"Security"}}}],"must_not":[{"match":{"message":"TEXT A"}},{"match":{"message":"TEXT B"}}],"minimum_number_should_match":1}}]}}}'
Results of the query:
No entries.
What I have to do to filter "TEXT A" and "TEXT B" and only get "TEXT C"?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.