Dear all =)
Here is an odd one!
If I in Dev Tools do
GET _search
{ "query": { "query_string": { "query": "besked:*" } } }
then I get lots of results. If I do the same in a rule, I don't get any results.
Are extra permissions needed?
What am I doing wrong?
Hugs
Sandra =)
Hey @Sandra_Schlichting,
In dev tools, running GET _search will search across all of your indices. When defining a rule, you need to specify the set of indices you wish to search against. Are you sure that the indices you've chosen in the rule actually have data?
Can you run the _search in dev tools constrained to the indices you've set in the rule to see if that returns any results? For example:
GET /my-index-name/_search
{ "query": { "query_string": { "query": "besked:*" } } }
Dear Larry. Thanks a lot! Very useful debug trick you gave me there. Apparently indices in rules can't use wildcard it seams. Entering the full index name solved the problem. Thanks again =)
Hugs
Sandra =)
I just happen to come across this. You can absolutely use an index pattern in a DSL Query. I just find the index selector a bit tricky.
You have to type in your pattern say filebeat-*
Then wait for the selector list to finish... then scroll down and actually select the index-pattern or the wildcard pattern... that is the trick
This is with an index pattern
This is with an arbitrary wildcard filebeat-11.2-*
and the test query works
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
