Why query works in DevTools but not in a Rule?

Dear all =)

Here is an odd one!

If I in Dev Tools do

GET _search
{ "query": { "query_string": { "query": "besked:*" } } }

then I get lots of results. If I do the same in a rule, I don't get any results.

Are extra permissions needed?

What am I doing wrong?

Sandra =)

Hey @Sandra_Schlichting,

In dev tools, running GET _search will search across all of your indices. When defining a rule, you need to specify the set of indices you wish to search against. Are you sure that the indices you've chosen in the rule actually have data?

Can you run the _search in dev tools constrained to the indices you've set in the rule to see if that returns any results? For example:

GET /my-index-name/_search
{ "query": { "query_string": { "query": "besked:*" } } }
1 Like

Dear Larry. Thanks a lot! Very useful debug trick you gave me there. Apparently indices in rules can't use wildcard it seams. Entering the full index name solved the problem. Thanks again =)

Sandra =)

Hi @Sandra_Schlichting

I just happen to come across this. You can absolutely use an index pattern in a DSL Query. I just find the index selector a bit tricky.

You have to type in your pattern say filebeat-*
Then wait for the selector list to finish... then scroll down and actually select the index-pattern or the wildcard pattern... that is the trick

This is with an index pattern

This is with an arbitrary wildcard filebeat-11.2-*

and the test query works

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.