i am new to the tool and request some help. currently utilizing 6.8.
i was looking to create a monitor on field.meta.statusCode : 200, along with its corresponding message for a particular index. below is sample query where i am trying to identify message first, then add the statusCode field. currently i get only 2 hits, which is wrong, i was trying to extract both message and the code (eventually). please advise how to query accurately. the discover is simple. i am able to add the message and status code fields to identify the results. However, querying is a problem. thank you in advance.
{
"version": true,
"size": 0,
"query": {
"bool": {
"must": [{
"query_string": {
"query": "message",
"analyze_wildcard": true
}
},
{
"range": {
"timestamp": {
"from": "{{period_end}}||-10m",
"to": "{{period_end}}",
"include_lower": true,
"include_upper": true,
"boost": 1
}
}