elasticsearch - ElastAlert combining query and range into an OR clause

Question

I have a kibana query to find all transactions which are either having result "HTTP 5xx" or a response code greater than equal to 400

service.name : "my-service" AND transaction.name : "my-transaction" AND (transaction.result: "HTTP 5xx" OR http.response.status_code >= 400)

I need to use this same query in ElastAlert Rule (.yaml file). I can use status code in range and which will play as AND clause with query, but how I could I use transaction.result below:

filter:
- query:
   query_string:
    query: 'service.name : "my-service" AND transaction.name : "my-transaction"'
- range:
    http.response.status_code:
      gt: 399  

Can anyone help how to include this?

question from:https://stackoverflow.com/questions/65888467/elastalert-combining-query-and-range-into-an-or-clause

Answer 1

You can use and and or in your filter definitions:

filter:
  - and:
      - query:
          query_string:
            query: >-
              service.name : "my-service" AND transaction.name :
              "my-transaction"
      - or:
          - term:
              transaction.result: HTTP 5xx
          - range:
              http.response.status_code:
                gt: 399

Or you can also get rid of the query_string query and spell it out into individual queries:

filter:
  - and:
      - term:
          service.name: my-service
      - term:
          transaction.name: my-transaction
      - or:
          - term:
              transaction.result: HTTP 5xx
          - range:
              http.response.status_code:
                gt: 399