Unknown key for a START_OBJECT in [filter]

aish · October 30, 2017, 3:06pm

I'm new to elasticsearch and I'm trying to find logs with the event id 4625 every minute but getting this error. I can't figure out where I am going wrong.

GET /_search
{
  "query": {
    "match": {
      "event_id": "4,625"
    }
  },
  "filter": {
    "range": {
      "@timestamp": {
        "from": "now-1m",
        "to": "now"
      }
    }
  }
}

This is the response I'm getting:


{
  "error": {
    "root_cause": [
      {
        "type": "parsing_exception",
        "reason": "Unknown key for a START_OBJECT in [filter].",
        "line": 7,
        "col": 13
      }
    ],
    "type": "parsing_exception",
    "reason": "Unknown key for a START_OBJECT in [filter].",
    "line": 7,
    "col": 13
  },
  "status": 400
}

dadoonet · October 30, 2017, 3:28pm

Please format your code using </> icon as explained in this guide. It will make your post more readable.

Or use markdown style like:

```
CODE
```

filter does not exist. Where did you see that? Old documentation I guess...

aish · October 30, 2017, 3:39pm

Actually I am trying to start a watcher for alerting. I was getting that error so I was checking each part to check in which line I was getting the error. This is where I saw the filter.

dadoonet · October 30, 2017, 4:16pm

The filter is within a bool query on the website.
You need to fix that

aish · October 30, 2017, 4:20pm

I got confused. That fixed the problem. Thank you very much.

system · November 27, 2017, 4:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.