Watcher - Multiple wildcards not catching

Hello I am sure I misunderstood something here, but I have a watcher with a few must_not match and it appears logs are still trickling through:

"body": {
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "log_level": "error"
          }
        },
        {
          "match": {
            "fields.environment_type": "production"
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "now-1m"
            }
          }
        }
      ],
      "must_not": [
        { "wildcard": { "message": "*scene_not_current*" } },
        { "wildcard": { "message": "*monotonically*" } },
        { "wildcard": { "message": "*agt_tgt_keys_session_mismatch*" } },
        { "wildcard": { "message": "*Error trying to authenticate DU*" } },
        { "wildcard": { "message": "*unknown error authenticating DU*" } }
      ]
    }
  }
}

}
}
},

Logs containing unknown error authenticating DU are still alerting.

message": [ "2020-03-04 12:43:33.990 [error] <0.30188.298>@vsp_du_auth:authenticate_agent:66 unknown error authenticating DU: req_timedout","@vsp_du_auth:authenticate_agent:66 unknown error authenticating DU: req_timedout"

Am I missing something obvious here?

I needed to use message.keyword and it's now resolved.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.