'ELS Bool query and sorting
I want to list logs the user name and "Authentication Failed" keywords in the message.
if I send to elasting search following query ;
{"query":
{"bool":
{"must": [
{"match": {"message": "Common.Username=AB001"}},
{"match":{"message":"Authentication Failed"}}
]
}
}
}
records are listed, but old records are listed, not new ones Forexample, following records are returning ;
timestamp=2022-04-21 13:10:37+03,Common.Username=AB001,MSCHAP: Authentication failed timestamp=2022-04-22 13:10:37+03,Common.Username=AB001,MSCHAP: Authentication failed timestamp=2022-04-26 13:10:37+03,Common.Username=AB001,MSCHAP: Authentication failed
but the records I'm waiting for are ;
timestamp=2022-04-29 10:10:37+03,Common.Username=AB001,MSCHAP: Authentication failed timestamp=2022-04-29 12:10:37+03,Common.Username=AB001,MSCHAP: Authentication failed timestamp=2022-04-29 13:10:37+03,Common.Username=AB001,MSCHAP: Authentication failed
so when I prepare a query like the following, I also;
{
"query":
{"bool":
{"must": [
{"match": {"message": "Common.Username=AB001"}},
{"match":{"message":"Authentication Failed"}}
]
}
},"sort" : [
{"@timestamp" : {"order" : "desc"}}
]
}
It fetches all records without taking into account the values "AB001" and "Authentication Failed"
timestamp=2022-04-29 10:10:37+03,Common.Username=BBB01,MSCHAP: Account locked out timestamp=2022-04-29 13:10:37+03,Common.Username=AB001,MSCHAP: Account locked out timestamp=2022-04-29 12:10:37+03,Common.Username=BBBB,MSCHAP: Authentication failed timestamp=2022-04-29 13:10:37+03,Common.Username=CCCC,MSCHAP: Authentication failed
how can I get records containing keywords (Username and "Authentication Failed") in date order
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|
