Should I use Simple Query or Match Query?

Dear all =)

If I want to search for the following

host:"10.250.11.11" and custom4:"errors occurred"

then match-query and simple-query-string both looks like possible candidates.

I will end up creating Kibana Rules, and since JSON requires use of " it isn't possible to use query-string.

Question 1
If I attempt Match Query:

GET _search
{
  "query": {
    "match": {
      "host": {
        "query": "10.250.11.11"
      }
    },
    "match": {
      "custom4": {
        "query": "errors occurred"
      }
    }
  }
}

then how can I specify that the two match should be "anded" together?

Question 2
If I attempt Simple Query:

GET /_search
{
  "query": {
    "simple_query_string" : {
        "query": "\"10.250.11.11\" +\"errors occurred\"",
    }
  }
}

How can I specify that the first string is from field host and the second is from field custom4?

Hugs,
Sandra =)

You can use bool queries for that.

That is super interesting! Thanks =)

So must translates to and I suppose. What about or?

What could I do for the following two?:

host:"10.250.11.11" OR custom4:"errors occurred"
                    ^^

host:"10.250.11.11" AND (custom4:"errors occurred" OR custom3:"timed out"

Or is should.

Excellent. Thanks.

talks about scores. Should I set something so I only get when there are 100% matches?

If you have access to a Kibana instance, you could debug the searches and filters that you specify through the "Inspect" button :

Example Searches:

image1231×978 70.8 KB

Example Filters:

image1114×868 68.6 KB

Perfect. That is great =)

Do you know if there is a REST API where I can give KQL and get Elastic query back?

Not that I'm aware, the only section that shows you both KQL & Query DSL is the Kibana Debiug interface.