Why is my search returning all values from time filter

Elastic Search
1

Hi,
i'm a bit confused by this simple search

curl -XGET 'localhost:9200/logstash-*/_count?pretty' -d'		
{
  "query": { 
    "bool": { 
      "should": [
        { "match_phrase": { "Info":"OPTICAL_FIBER_MISCONNECT(l)"       }},
        { "match_phrase": { "Info":"LACP_STATE_DOWN(l)" }}
      ],
      "filter": [ 
        { "range": { "@timestamp":{"gte":"now-7d" }}}
      ]
    }
  }
}
' -H 'Content-Type: application/json'

Instead of returning a count of documents containing the two values in the should statement, the query will return all values in the time filter despite the timefilter being outside the "should" statement.
I'm following this exact page except for the "should" instead of "must"

How should I format my query so I get value shown in the should part and filtered by the timefilter without having all documents in the timefilter ?
Thanks

2

I think you need to do something like:

GET /_count		
{
  "query": {
    "bool": { 
      "filter": [ 
        {     
           "bool": { 
             "should": [
               { "match_phrase": { "Info":"OPTICAL_FIBER_MISCONNECT(l)"       }},
               { "match_phrase": { "Info":"LACP_STATE_DOWN(l)" }}
             ]
          }
        },
        { "range": { "@timestamp":{"gte":"now-7d" }}}
      ]
    }
  }
}

Not tested... :slight_smile:

3

You are my hero :slight_smile:
It works as expected now
Thanks a lot

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.