I’m trying to do a search which uses a combination of AND, AND NOT, OR, and nested groups (I’m not sure if that is the right term or not?)… but I’m not getting the results I should be. Here is my search query:
(type:mysql AND (mysql_query_time:>1 OR mysql_rows_examined:>1000000) AND source:xx?.domain.com AND NOT (mysql_query:SELECT OR mysql_query:UPDATE))
I’ve tried various versions of the above every way I can imagine, and it never gives me what I want. Here is what I want in plain english:
Must have:
type:mysql
(any of) mysql_query_time:>1 OR mysql_rows_examined:>1000000
source:xx?.domain.com
Must not have:
(any of) mysql_query:SELECT OR mysql_query:UPDATE
The “must not have” portion is working fine, I’m able to exclude those patterns from the response, b ut the “must have” portion isn’t working right. I’m getting mysql_query_time and mysql_rows_examined results that don’t match the search.
If I just do a simple search for mysql_query_time for example, it works fine, and I get the results I’d expect. It just stops working when I try to build a more complex search.
What am I doing wrong? this seems like it should be easy.