Query contains too many nested clauses

Continuing the discussion from Query parsing error: maxClauseCount is set to 1024:

1. Describe your incident:
I’m right now migrating fra an old 4.3 installation with ElasticSearch to a new 5.0.5 installation with Open Search.

Before i had set up an Event Definition, with the following query.
(“Group1” OR “Group2” OR “Group3” OR “Group4” OR “Group5” OR “Group6” OR “Group7” OR “Group8” OR “Group9” OR “Group10” OR “Group11” OR “Group12”) AND (event_code:4729 OR event_code:4728 OR event_code:4733 OR event_code:4732 OR event_code:4756 OR event_code:4757)

on the new server i have to split this one into 3.
And if i’m going to split them up, i’m going to do it for each Group.

The error code i’m getting is:

OpenSearch exception [type=too_many_nested_clauses, reason=Query contains too many nested clauses; maxClauseCount is set to 1024].

2. Describe your environment:

  • OS Information:
    Ubuntu 22.04.2 LTS
    Graylog 5.0.5
    MongoDB 6.0.5
    OpenSearch 2.6.0

3. Question:
is there anyway i can keep it in 1 Event Definition or should i just go ahead and create one for each Group?

Hey @DanishIT_Guy

Have you seen this?

Thanks for sharing that @gsmith.
And no, first time reading it.

So what i got from reading that post was that it is a performance/resource safety feature.
And it’s not recommended setting it higher.
Just for testing, i tried to set it up to 2048, and even that is not enough.

Is there another way for me to write my search query and still have all the Event ID’s and groups?
If it was written in the post, i couldn’t seem to find it.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.