Bilal Siddiqui
Reputation: 3629
ElastAlert combining query and range into an OR clause
I have a kibana query to find all transactions which are either having result "HTTP 5xx" or a response code greater than equal to 400
service.name : "my-service" AND transaction.name : "my-transaction" AND (transaction.result: "HTTP 5xx" OR http.response.status_code >= 400)
I need to use this same query in ElastAlert Rule (.yaml file). I can use status code in range and which will play as AND clause with query, but how I could I use transaction.result below:
filter:
- query:
query_string:
query: 'service.name : "my-service" AND transaction.name : "my-transaction"'
- range:
http.response.status_code:
gt: 399
Can anyone help how to include this?
Upvotes: 0
Views: 2643
Answers (1)
Val
Reputation: 217334
You can use and and or in your filter definitions:
filter:
- and:
- query:
query_string:
query: >-
service.name : "my-service" AND transaction.name :
"my-transaction"
- or:
- term:
transaction.result: HTTP 5xx
- range:
http.response.status_code:
gt: 399
Or you can also get rid of the query_string query and spell it out into individual queries:
filter:
- and:
- term:
service.name: my-service
- term:
transaction.name: my-transaction
- or:
- term:
transaction.result: HTTP 5xx
- range:
http.response.status_code:
gt: 399
Upvotes: 2
Related Questions
- ElasticSearch combined OR and AND clauses in filter
- OR and AND Operators in Elasticsearch query
- Combined OR and AND query for elastic search
- Using an AND with OR in an Elastic dev tools query Elastic
- Elasticsearch make an OR query instead of AND query
- How do I write an OR query in Kibana (ElasticSearch)?
- "AND" and "OR" query together using range easticsearch
- Elasticsearch Query with And and Or Condition
- Query for OR condition
- Aggregate values in ElastAlert rules