Can someone please explain the purpose of each line
match": {
"event_data.SubjectUserName": "LOCAL SERVICE"
}
The first line instructs Elasticsearch to execute a "match" query. There are many different queries, and match is one of them. You can find information about the match query here: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-match-query.html
The match query can be used to search for one or more terms in a specific field in your documents. In this case, Elasticsearch will search for the terms "LOCAL" or "SERVICE" in the field "event_data.SubjectUserName" of your documents.
All documents that contain either (or both) of these terms will be a match. Elasticsearch will score the documents based on how well these documents match your query and by default returns you the top 10 documents with the highest score.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.