Hello @Diego_Ramirez
Welcome to the community.
- Looking at your query try to use below with brackets as without brackets it might evaluate and followed by or :
(Operacion.keyword : "UPDATE" and COD_CANAL_T.keyword : "CANAL 1 ISO-2 ATM") or (Operacion.keyword : "UPDATE" and COD_CANAL_T.keyword : "CANAL 3 ISO-2 POS")
-
You have below fields populated for all documents, right?
CUSTOM_ENTIDAD.keyword, COD_CANAL_T.keyword -
You have checked the data count as per below logic, right ?
| Rule execution at | Time Consideration (from => to) | Status | |
|---|---|---|---|
| 12:22 | 12:17 to 12:22 | did not match | |
| 12:23 | 12:18 to 12:23 | matched (count <=3 ) | |
| 12:24 | 12:19 to 12:24 | matched (count <=3 ) | |
| 12:25 | 12:20 to 12:25 | matched (count <=3 ) | |
| 12:26 | 12:21 to 12:26 | matched (count <=3 ) | |
| 12:27 | 12:22 to 12:27 | Alert |
Thanks!!