Why query DSL select doc which not include field?

d.silwon · May 9, 2022, 5:22am

Dears,

I need your advice/explanation.

This is my query which select document from index which not include field f1.rc. I don't understand why.
What is wrong in below query? Any idea?

In my opinion this query should select documents that meet both conditions f1.rc and f1.mti. I'm confused.

GET /index-2022.04.14/_search?size=100&pretty=true
{
  "query": {
    "bool": {
      "must": [
        {
         "match": {
           "f1.iface.keyword":"MOSS"
         }
        },
        {
          "query_string": {
            "query":  "(server01\\.domain\\.com) OR (server02\\.comain\\.com)",
            "default_field": "agent.hostname",
            "default_operator": "AND"
          }
        },
        {
          "term": {
            "log.file.path.keyword": {
              "value": "/apps/myapp1/log/cssf1.log"
            }
          }
        },
        {
        "query_string": {
          "query": "(f1.rc:/[0]\\d{2}/ and f1.mti:/\\[1][12][13579]\\d/) "
         }
        },
        {
          "range": {"@timestamp": {"gt": "2022-04-14T15:08:50","lte": "2022-04-14T15:08:51"}}
        }
      ]
    }
  }
  }
}

Best Regards,
Dan

Mark_Harwood · May 9, 2022, 6:36am

Hi Dan.
Possibly because the “and” in your query string needs to be all upper case to work as a Boolean operator - otherwise you’re just looking for the word “and”

d.silwon · May 9, 2022, 7:14am

@Mark_Harwood you are right. Thanks a lot

Mark_Harwood · May 9, 2022, 7:19am

It’s a very easy trap to fall into - especially if you’re used to KQL syntax.

d.silwon · May 9, 2022, 7:25am

OK, I understand, thanks again.

system · June 6, 2022, 7:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.