Continuing the discussion from Query parsing error: maxClauseCount is set to 1024:
1. Describe your incident:
I’m right now migrating fra an old 4.3 installation with ElasticSearch to a new 5.0.5 installation with Open Search.
Before i had set up an Event Definition, with the following query.
(“Group1” OR “Group2” OR “Group3” OR “Group4” OR “Group5” OR “Group6” OR “Group7” OR “Group8” OR “Group9” OR “Group10” OR “Group11” OR “Group12”) AND (event_code:4729 OR event_code:4728 OR event_code:4733 OR event_code:4732 OR event_code:4756 OR event_code:4757)
on the new server i have to split this one into 3.
And if i’m going to split them up, i’m going to do it for each Group.
The error code i’m getting is:
OpenSearch exception [type=too_many_nested_clauses, reason=Query contains too many nested clauses; maxClauseCount is set to 1024].
2. Describe your environment:
- OS Information:
Ubuntu 22.04.2 LTS
Graylog 5.0.5
MongoDB 6.0.5
OpenSearch 2.6.0
3. Question:
is there anyway i can keep it in 1 Event Definition or should i just go ahead and create one for each Group?