Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

HELP!! Negation, and, or does not work

See original GitHub issue

Hi All,

Thanks in advanced for any help provided. I am having some very frustrating issues writing yaml rules with ElastAlert and Negations, and, or.

I cannot get Negations, and or to work, I have tried an exact copy of the example on the docs (ensuring every space is correct), I have tried other examples from issues listed here. Every time I get a similar error which is:

RequestError(400, u'parsing_exception', {u'status': 400, u'error': {u'line': 1, u'root_cause': [{u'reason': u'[and] query malformed, no start_object after query name', u'type': u'parsing_exception', u'line': 1, u'col': 206}], u'type': u'parsing_exception', u'reason': u'[and] query malformed, no start_object after query name', u'col': 206}})

This works:

filter:
    - term:
        field1: "value"
    - term:
        field2: "value"

Any of the following DO NOT work:

filter:
- and:
    - term:
        field1: "value"
    - term:
        field2: "value"

filter:
- or:
    - term:
        field: "value"
    - wildcard:
        field: "foo*bar"
    - and:
        - not:
            term:
              field: "value"
        - not:
            term:
              _type: "something"

I have checked the correct spacing in front of every line (magical 4 spaces) no matter what I do I get the same error. I am using the latest version of ElastAlert and Elastic Search 5.2 (just upgraded from 5.x but no difference)

Many thanks

Issue Analytics

State:
Created 7 years ago
Comments:10 (4 by maintainers)

Top GitHub Comments

1reaction

Qmandocommented, Jun 13, 2018

The examples and documentation are a bit dated. I’d recommend using query strings if you are using ES5 or ES6. You should be able to construct boolean logic.

Example:

filter:
- query_string:
     query: "(NOT field1: value OR field2: value) AND field3: value"

If someone wants to add better support for using the ES6 syntax for bool queries, I’d happily accept the changes.

0reactions

beaesteban01commented, Feb 16, 2021

Hi @Qmando , I am facing similar problems with AND in filters. Mentioned in #3119. I am trying with

filter:                                                                                                                                      
- query:                                                                                                                                     
      query_string:                                                                                                                            
          query: "r1_ AND r2_ AND r3_"                                                                                                 
          default_field: rule_name

and I don’t get any hits, but if I just put

filter:                                                                                                                                      
- query:                                                                                                                                     
      query_string:                                                                                                                            
          query: "r1_ "                                                                                                 
          default_field: rule_name

I get 1 hit (as expected) but not working with more values. Neither working this way (again for only 1 term it gets 1 hit but not for more values)

filter:
- term:                                                                                                                                     
      rule_name: "r1_"                                                                                                              
- term:                                                                                                                                     
      rule_name: "r2_"                                                                                                                
- term:                                                                                                                                     
      rule_name: "r3_"

Because as I say in #3119, using

filter as OR, not AND that is what I need

Thanks, Bea

Top Results From Across the Web

Help-Negation | SpringerLink

Help-negation refers to the help-avoidance or withdrawal that has been found in samples of adolescents who are currently experiencing ...

Suicidal ideation and help-negation: Not just hopelessness or ...

Help -negation appears to involve more than just negative expectations regarding the future. The discussion proposes social problem-solving orientation as one of ...

(PDF) Help-Negation - ResearchGate

Help -Negation ; boyfriend/girlfriend, friend, parent, relative, mental health professional (e.g., school ; counselor, counselor, psychologist, ...

Help negation

Although we do not know why people with mental problems do not want help, the 2007 Survey raises the possibility that low service...

Logic and Mathematical Statements - Worked Examples

Negation of "If A, then B". ... To negate a statement of the form "If A, then B" we should replace it with...