Elastalert: "Negation, and, or" is not working.

Created on 30 Aug 2018 · 1Comment · Source: Yelp/elastalert

I have faced issue with "Negation, and, or" in my rule. For testing purposes I choose filter from docs i https://elastalert.readthedocs.io/en/latest/recipes/writing_filters.html in my rule and received error.

filter:
- or:
    - term:
        field: "value"
    - wildcard:
        field: "foo*bar"
    - and:
        - not:
            term:
              field: "value"
        - not:
            term:
              _type: "something"

command: python -m elastalert.elastalert --verbose --rule test.alert.yml --config config.yml
...
ERROR:root:Error running query: TransportError(400, u'parsing_exception', u'[or] query malformed, no start_object after query name')

Could you please check it.

Source

kuzm1ch

Most helpful comment

This is a known issue with newer versions of Elasticsearch. You'll need to use query strings:

- query_string:
     query: "(field: value OR field: foo*bar) AND NOT field: value AND NOT _type: something"

Qmando on 30 Aug 2018

👍3

>All comments

This is a known issue with newer versions of Elasticsearch. You'll need to use query strings:

- query_string:
     query: "(field: value OR field: foo*bar) AND NOT field: value AND NOT _type: something"

Qmando on 30 Aug 2018

👍3

Was this page helpful?

0 / 5 - 0 ratings

Related issues

TypeError: search() got an unexpected keyword argument '_source_include'

AweiWoo · 3Comments

Add support to test rules with custom timeframe

abhishekjiitr · 3Comments

error: idna 2.8 is installed but idna<2.8,>=2.5 is required by set(['requests'])

rhysxevans · 3Comments

Should someone else maintain this?

junaid1460 · 3Comments

cardinality rule, return unique value count?

shortstack · 3Comments