Question about query

Javier · October 26, 2017, 7:29am

Hello.

I have a problem with a query. I´m trying to add several fields and only one of them is permit.
QUERY='{"query":{"bool":{"must":[{"range":{"@timestamp":{"gte":"now-'$RELATIVE_START_TIME_TO_SEARCH'/d","lt":"now/d"}}},{"match_phrase_prefix":{"level":{"query"
:"Error"}}},{"bool":{"should":[{"match_phrase_prefix":{"log_name":{"query":"System"}}},{"match_phrase_prefix":{"level":{"query":"Security"}}}],"must_not":[{"match":{"message":"The default transaction resource mana
ger"}}],"minimum_number_should_match":1}}]}}}'

This is the query and mi question is: I want to add another "must_not" to don´t receive messages with these fields but only one must_not is permit. Could you Help me?.

Thanks.

Javier.

spinscale · October 27, 2017, 3:00pm

you can specifiy only one must_not clause, but as this field is an array, you can specifiy several queries inside of that like this (pseudocode)

"must_not" : [
  { first_query },
  { second_query }
]

Javier · October 30, 2017, 2:09pm

Hi.
My problema is that with a must_not is working, but I add another more with a correct text it´s not running, ie:QUERY='{"query":{"bool":{"must":[{"range":{"@timestamp":{"gte":"now-'$RELATIVE_START_TIME_TO_SEARCH'/d","lt":"now/d"}}}, {"match_phrase_prefix":{"level":{"query":"Error"}}}, {"bool":{"should":[{"match_phrase_prefix":{"log_name":{"query":"System"}}},{"match_phrase_prefix":{"level":{"query":"Security"}}}],"must_not":[{"bool":{"should":[{"match":{"message":"Microsoft Antimalware has encountered"}},{"match":{"message":"Installation Failure"}}]}}],"minimum_number_should_match":1}}]}}}'
In addition.
Some idea?

Javier · October 31, 2017, 11:43am

I have these messages: "message":TEXT-A: " The default transaction resource manager on volume encountered anon-retryable error and could not start""message":TEXT-B: " Microsoft Antimalware has encountered an error trying to updatesignatures""message":TEXT-C: " Microsoft Antimalware has encountered an error trying to updatesignatures.\n \tNew Signature Version: \n \tPrevious Signature Version:1.253.923.0\n \tUpdate Source: Microsoft Update Server\n \tUpdate Stage" Run thequery:QUERY='{"query":{"bool":{"must":[{"range":{"@timestamp":{"gte":"now-'$RELATIVE_START_TIME_TO_SEARCH'/d","lt":"now/d"}}},{"match_phrase_prefix":{"level":{"query":"Error"}}},{"bool":{"should":[{"match_phrase_prefix":{"log_name":{"query":"System"}}},{"match_phrase_prefix":{"level":{"query":"Security"}}}],"must_not":[{"match":{"message":"TEXTA"}}],"minimum_number_should_match":1}}]}}}' Results of query:"message":"TEXT B""message":"TEXTC" Run the query QUERY='{"query":{"bool":{"must":[{"range":{"@timestamp":{"gte":"now-'$RELATIVE_START_TIME_TO_SEARCH'/d","lt":"now/d"}}},{"match_phrase_prefix":{"level":{"query":"Error"}}},{"bool":{"should":[{"match_phrase_prefix":{"log_name":{"query":"System"}}},{"match_phrase_prefix":{"level":{"query":"Security"}}}],"must_not":[{"match":{"message":"TEXTA"}},{"match":{"message":"TEXT B"}}],"minimum_number_should_match":1}}]}}}' Results of the query:No entries. What I haveto do to filter "TEXT A" and "TEXT B" and only get "TEXT C"?

Javier · October 31, 2017, 11:46am

I have these messages:

"message": TEXT-A: " The default transaction resource manager on volume encountered a non-retryable error and could not start"
"message": TEXT-B: " Microsoft Antimalware has encountered an error trying to update signatures"
"message": TEXT-C: " Microsoft Antimalware has encountered an error trying to update signatures.\n \tNew Signature Version: \n \tPrevious Signature Version: 1.253.923.0\n \tUpdate Source: Microsoft Update Server\n \tUpdate Stage"

Run the query:
QUERY='{"query":{"bool":{"must":[{"range":{"@timestamp":{"gte":"now-'$RELATIVE_START_TIME_TO_SEARCH'/d","lt":"now/d"}}},{"match_phrase_prefix":{"level":{"query":"Error"}}},{"bool":{"should":[{"match_phrase_prefix":{"log_name":{"query":"System"}}},{"match_phrase_prefix":{"level":{"query":"Security"}}}],"must_not":[{"match":{"message":"TEXT A"}}],"minimum_number_should_match":1}}]}}}'

Results of query:
"message":"TEXT B"
"message":"TEXT C"

Run the query
QUERY='{"query":{"bool":{"must":[{"range":{"@timestamp":{"gte":"now-'$RELATIVE_START_TIME_TO_SEARCH'/d","lt":"now/d"}}},{"match_phrase_prefix":{"level":{"query":"Error"}}},{"bool":{"should":[{"match_phrase_prefix":{"log_name":{"query":"System"}}},{"match_phrase_prefix":{"level":{"query":"Security"}}}],"must_not":[{"match":{"message":"TEXT A"}},{"match":{"message":"TEXT B"}}],"minimum_number_should_match":1}}]}}}'

Results of the query:
No entries.

What I have to do to filter "TEXT A" and "TEXT B" and only get "TEXT C"?

system · November 28, 2017, 11:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.