Setup watcher with multiple must_not values do not apply as expected

Aviram_Niron · November 28, 2020, 5:27pm

I've set the following watcher which aims to ignore events coming from several tenants (as indicated in the "must_not" clause). However, these are not ignored. What am I missing?

{
      "trigger": {
    "schedule": {
      "interval": "1m"
    }
      },
      "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "hws-logs*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "must": [
                {
                  "match": {
                    "log_level.keyword": "FATAL"
                  }
                },
                {
                  "range": {
                    "@timestamp": {
                      "gte": "{{ctx.trigger.scheduled_time}}||-5m",
                      "lte": "{{ctx.trigger.scheduled_time}}",
                      "format": "strict_date_optional_time||epoch_millis"
                    }
                  }
                }
              ],
              "must_not": {
                "terms": {
                  "event.tenant_id": [
                    "ID_OF_TENANT001",
                    "ID_OF_TENANT002"
                  ]
                }
              }
            }
          }
        }
      }
    }
      },
      "condition": {
    "script": {
      "source": "if (ctx.payload.hits.total > params.threshold) { return true; } return false;",
      "lang": "painless",
      "params": {
        "threshold": 1
      }
    }
      },
      "actions": {
    "webhook_1": {
      "webhook": {
        "scheme": "https",
        "host": "HOSTNAME",
        "port": 443,
        "method": "post",
        "path": "api/v2/tickets/",
        "params": {},
        "headers": {},
        "auth": {
          "basic": {
            "username": "USERNAME",
            "password": "PASSWORD"
          }
        },
        "body": """{ "description": "ALERT - FATAL - Kibana", "subject": "Kibana Reporting", "email": "EMAIL@ADDRESS.COM", "priority": 1, "status": 2,"group_id":30000054182,"responder_id":30006940628,"type":"Task","custom_fields":{"cf_product":"Workspace"}}"""
      }
    }
      },
      "transform": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "hws-logs*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
            "match": {
              "log_level.keyword": "FATAL"
            }
          }
        }
      }
    }
      }
    }

Marius_Dragomir · November 30, 2020, 9:57am

Can you change the terms to term in the must_not since you're only searching on one term?

Aviram_Niron · November 30, 2020, 11:39am

Hi Marius,
Thanks for the advice. Applying the change I get the following error:
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "[term] query does not support array of values",

Please note that I have multiple tenants I'd like to filter out, not only one.
Anything else you can suggest?

Aviram_Niron · December 7, 2020, 2:51pm

Hi Marius,
Thanks for the advice. Applying the change I get the following error:
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "[term] query does not support array of values",

Please note that I have multiple tenants I'd like to filter out, not only one.
Anything else you can suggest?

system · January 4, 2021, 2:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.