"Should" is not working in DSL

Hello,

I'm querying elasticsearch using DSL in "dev tools".
I have the following code :

"query": {
    "bool" : {
      
      "must": [
          {"range": {
            "@timestamp": {
              "gte": "now-10m/m",
              "lt": "now/m"
            }
          }}
      ],    
      
      
      "must_not": [
        
          
          {"term" :  {"dstzone.keyword" : "WAN" }},
          {"term" :  {"dst_ip.keyword" : "SOME_IP" }},
          {"term" :  {"dst_ip.keyword" : "SOME_IP" }},
          {"term" :  {"dst_ip.keyword" : "SOME_IP" }}
          {"wildcard" : {"dst_ip.keyword" : "*.255" }}

      ],
      
      "should": [
        
          {"wildcard" : {"dst_ip.keyword" : "10.*" }},
          {"wildcard" : {"dst_ip.keyword" : "172.16.*" }},
          {"wildcard" : {"dst_ip.keyword" : "172.17.*" }},
          {"wildcard" : {"dst_ip.keyword" : "172.18.*" }},
          {"wildcard" : {"dst_ip.keyword" : "172.19.*" }},
          {"wildcard" : {"dst_ip.keyword" : "172.20.*" }},
          {"wildcard" : {"dst_ip.keyword" : "172.21.*" }},
          {"wildcard" : {"dst_ip.keyword" : "172.22.*" }},
          {"wildcard" : {"dst_ip.keyword" : "172.23.*" }},
          {"wildcard" : {"dst_ip.keyword" : "172.24.*" }},
          {"wildcard" : {"dst_ip.keyword" : "172.25.*" }},
          {"wildcard" : {"dst_ip.keyword" : "172.26.*" }},
          {"wildcard" : {"dst_ip.keyword" : "172.27.*" }},
          {"wildcard" : {"dst_ip.keyword" : "172.28.*" }},
          {"wildcard" : {"dst_ip.keyword" : "172.29.*" }},
          {"wildcard" : {"dst_ip.keyword" : "172.30.*" }},
          {"wildcard" : {"dst_ip.keyword" : "172.31.*" }},
          {"wildcard" : {"dst_ip.keyword" : "192.168.*" }}
        
        ]
    }
  },

This code is supposed to return all documents where "dst_ip" is a private IP but the problem is when i execute this code i get many documents where "dst_ip" is public.
Do you have any idea how to fix this ?
Thanks in advance.

Can you show a sample document that is returned that you expect not to be?

See this?

I have in my query : bool ==> must + must_not + should
If i will put a bool before the should it will raise a syntax error because it will be a bool in a bool

it will raise a syntax error because it will be a bool in a bool

Bools in bools are fine - you just need the child bool to be put in the right context of the container e.g. as a must or must_not etc

The problem remains even when i did that i still get unwanted results

"buckets" : [
        {
          "key" : "192.168.1.3",
          "doc_count" : 461,
          "IP_destination" : {
            "doc_count_error_upper_bound" : 0,
            "sum_other_doc_count" : 0,
            "buckets" : [
              {
                "key" : "192.168.1.20",
                "doc_count" : 278
              },
              {
                "key" : "PUBLIC IP",
                "doc_count" : 45
              },
              {
                "key" : "PUBLIC IP",
                "doc_count" : 37
              },`Preformatted text`

I don't know in what way they are "unwanted" but bear in mind that fields can have multiple values.
The query might match just one of the values but any aggregations on that same field will consider all of the values in those matching docs - not just those that matched the query.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.