API search query

I’ve got two queries. one works, one doesn’t and I can’t for the life of me figure out why. Would anyone have any idea what’s wrong here?

http://(removedHostName):9000/api/search/universal/absolute/terms?field=Deny_Public_Source_IP&query=threat_indicated:false&stacked_fields=source,threat_indicated,Deny_Public_Source_IP_country_code&from=2021-01-08+07:46:23&to=2021-01-08+11:46:23&order=Deny_Public_Source_IP:desc

^^ works

http://(removedHostName):9000/api/search/universal/absolute/terms?field=Deny_Public_Source_IP&query=threat_indicated:true&stacked_fields=source,threat_indicated,Deny_Public_Source_IP_country_code&from=2021-01-08+07:46:23&to=2021-01-08+11:46:23&order=Deny_Public_Source_IP:desc

^^ doesn’t work

All that’s changed in the query is the threat_indicated section (true/false). I feel like I’ve missed a core Graylog thing here?

Hey @charlie, it seems obvious but are you sure that there are messages where threat_indicated=true with the other constraints? What if you search in the web interface with the same constraints?

Agree with @ttsandrew and would only also ask for you to clarify works vs. doesn’t work. Is it results vs no results, or no error vs error?

Figured it out, turns out the lookup was broken for this query since the start of the year, so it wasn’t populating correctly

A major mistake on my part