Examples of the Elasticsearch Query DSL

You can create filters manually by using the Elasticsearch Query domain-specific language (DSL).

  1. In either the Add filter or the Edit filter dialog, click Edit query DSL.

    Edit the query DSL

  2. Edit the query for the filter by using the Elasticsearch query DSL.

  3. Click Save.

Examples

The following bool query creates a filter on some sample log data.

It displays the hits that originated from Canada or China that resulted in a 404 error:

{
  "bool": {
    "should": [
      {
        "term": {
          "geoip.country_name.raw": "Canada"
        }
      },
      {
        "term": {
          "geoip.country_name.raw": "China"
        }
      }
    ],
    "must": [
      {
        "term": {
          "response": "404"
        }
      }
    ]
  }
}

JSON filter queries

You can use a JSON filter representation to implement predicate logic, with should for OR, must for AND, and must_not for NOT:

OR example

{
  "bool": {
    "should": [
      {
        "term": {
          "geoip.country_name.raw": "Canada"
        }
      },
      {
        "term": {
          "geoip.country_name.raw": "China"
        }
      }
    ]
  }
}

AND example

{
  "bool": {
    "must": [
      {
        "term": {
          "geoip.country_name.raw": "United States"
        }
      },
      {
        "term": {
          "geoip.city_name.raw": "New York"
        }
      }
    ]
  }
}

NOT example

{
  "bool": {
    "must_not": [
      {
        "term": {
          "geoip.country_name.raw": "United States"
        }
      },
      {
        "term": {
          "geoip.country_name.raw": "Canada"
        }
      }
    ]
  }
}