Malformed query in Elasticsearch Watcher

Question

I'm trying to create a watch in Elasticsearch with this conditions:

Field "ht" must be less than 100
Field "sv" must NOT be "tier1", and field "rv" can be anything else.
Field "sv" must NOT be "tier2", and field "rv" MUST NOT be "red".

This is my body search at the moment, but it returns:

"[term] malformed query, expected [END_OBJECT] but found [FIELD_NAME]":

      "body": {
          "query": {
              "bool": {
                  "must": {
                      "range": {
                          "ht": { "lt": 100 }
                      }
                  },
                  "must_not": [{
                      "term": { "sv": "tier1" },
                      "bool": {
                          "must": [ 
                              { "term": { "sv": "tier2" } },
                              { "term": { "rv": "red" } }
                          ]
                       }
                  }],
                  "filter": {
                      "range": {
                          "timestamp": {
                              "from": "now-10m",
                              "to": "now"
                          }
                      }
                  }
               }
            }
        }

Can you help me, please? Thanks.

Val Val · Accepted Answer · 2018-04-16T14:23:11

The issue is in the must_not section, you need to surround each constraint with additional {...}

              "must_not": [
                  {"term": { "sv": "tier1" }},
                  {"bool": {
                      "must": [ 
                          { "term": { "sv": "tier2" } },
                          { "term": { "rv": "red" } }
                      ]
                   }}
              ],

Malformed query in Elasticsearch Watcher

1 Answers