kibana3
kibana3 copied to clipboard
immunochomik
Filtering with "mustNot" does not work
When I try to filter my logs using "mustNot" to exclude certain logs, it does not work. This is the query that gets executed and does not have logic to exclude Hostname:sqvwbbbt001, even though I created a filtering to exclude it.
curl -XGET 'http://sqvlhglr002.test.cm.com:9200/logstash-2017.09.14/_search?pretty' -d '{ "query": { "bool": { "filter": [ { "range": { "@timestamp": { "from": 1505406407057, "to": 1505492807057 } } }, { "query_string": { "query": "type:("eventlog")" } }, { "query_string": { "query": "Hostname:("sqvwbbbt001")" } } ], "should": [ { "query_string": { "query": "*" } } ] } }, "highlight": { "fields": {}, "fragment_size": 2147483647, "pre_tags": [ "@start-highlight@" ], "post_tags": [ "@end-highlight@" ] }, "size": 500, "sort": [ { "@timestamp": { "order": "desc" } } ] }'
Hi @mzamora717 thanks for letting me know, you are right it does not work, but you do not need it, you can have the same effect by setting a filter with query "!key: value", that would be something like "!Hostname: sqvwbbbt001". I am not going to fix that as there is an easy workaround.
I understand there is a workaround, however, it makes for a bad user experience. Currently, users are used to clicking on the "exclude" icon to filter out data they dont want to see. So they just have to click one thing to exclude data. With this work around, they have to actually edit the query in the filters, which makes for a different and more difficult user experience. More over, the exclude icon doesn't work, which is even more annoying cause now you have a button that doesn't actually do what its supposed to do. Would you consider fixing it?
On Sat, Sep 16, 2017 at 11:12 AM Tomasz Swider [email protected] wrote:
Hi @mzamora717 https://github.com/mzamora717 thanks for letting me know, you are right it does not work, but you do not need it, you can have the same effect by setting a filter with query "!key: value", that would be something like "!Hostname: foo". I am not going to fix that as there is easy workaround.
[image: image] https://user-images.githubusercontent.com/11587162/30513846-2eb215f6-9b02-11e7-85cd-86a2babb4006.png
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/immunochomik/kibana3/issues/6#issuecomment-329977949, or mute the thread https://github.com/notifications/unsubscribe-auth/AHm4ux-Nbe8ihqmMxe9o4GADSjZWU9Ceks5si_NxgaJpZM4PZON5 .
-- Melanie Zamora Senior Performance Engineer SpringCM
[email protected] +1.312.253.4723 www.springcm.com LinkedIn http://www.linkedin.com/company/springcm | Facebook http://www.facebook.com/SpringCMCloud | Twitter http://twitter.com/springcm
I could not agree more @mzamora717 :), So if you have time to fix it patches are welcome.
In case anyone else has the same issue I managed to overcome this issue with: https://github.com/scrapinghub/kibana3/commit/80dd72f6e862e044d121b56b3d6c04270a0c209f
