Upgrade from 2.4.6 to 2.5, ES6 - Cannot OR search anymore?

ksccare · December 20, 2018, 9:46pm

I know i’ve missed a step somewhere or done something dumb because i always do.

I can no longer issue a search with an OR set, i.e. winlogbeat_event_id:( 4728 4729 ) will return nothing, but doing each numeric id individually will work fine. A standard OR search will work fine.
winlogbeat_event_id: 4728 OR winlogbeat_event_id: 4729

Every other search type i can think of works fine

If i pick an Index from prior to the upgrade, i get the following error but i cannot seem to find a relevant log with an error on any of my graylog nodes.

Unable to perform search query failed to create query: {

“bool” : { “must” : [ { “query_string” : { “query” : “winlogbeat_event_id:( 4728 4729 )”, “fields” : , “type” : “best_fields”, “default_operator” : “or”, “max_determinized_states” : 10000, “allow_leading_wildcard” : false, “enable_position_increments” : true, “fuzziness” : “AUTO”, “fuzzy_prefix_length” : 0, “fuzzy_max_expansions” : 50, “phrase_slop” : 0, “escape” : false, “auto_generate_synonyms_phrase_query” : true, “fuzzy_transpositions” : true, “boost” : 1.0 } } ], “filter” : [ { “bool” : { “must” : [ { “range” : { “timestamp” : { “from” : “2018-12-13 21:37:12.694”, “to” : “2018-12-20 21:37:12.694”, “include_lower” : true, “include_upper” : true, “boost” : 1.0 } } } ], “adjust_pure_negative” : true, “boost” : 1.0 } } ], “adjust_pure_negative” : true, “boost” : 1.0 } }

Details:

failed to create query: { "bool" : { "must" : [ { "query_string" : { "query" : "winlogbeat_event_id:( 4728 4729 )", "fields" : [ ], "type" : "best_fields", "default_operator" : "or", "max_determinized_states" : 10000, "allow_leading_wildcard" : false, "enable_position_increments" : true, "fuzziness" : "AUTO", "fuzzy_prefix_length" : 0, "fuzzy_max_expansions" : 50, "phrase_slop" : 0, "escape" : false, "auto_generate_synonyms_phrase_query" : true, "fuzzy_transpositions" : true, "boost" : 1.0 } } ], "filter" : [ { "bool" : { "must" : [ { "range" : { "timestamp" : { "from" : "2018-12-13 21:37:12.694", "to" : "2018-12-20 21:37:12.694", "include_lower" : true, "include_upper" : true, "boost" : 1.0 } } } ], "adjust_pure_negative" : true, "boost" : 1.0 } } ], "adjust_pure_negative" : true, "boost" : 1.0 } }

Search status code:

500

Search response:

cannot GET https://:9000/api/search/universal/relative?query=winlogbeat_event_id%3A%28%204728%204729%20%29&range=604800&limit=150&sort=timestamp%3Adesc (500)

system · January 3, 2019, 9:46pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat templates for Elasticsearch not complete? Graylog Central (peer support) sidecar , winlogbeat	5	1023	December 25, 2018
Logical OR in alert condition Graylog Central (peer support) sidecar , winlogbeat	5	2090	September 28, 2017
MIstakely I deleted graylog_* Graylog Central (peer support)	2	390	June 16, 2020
Searchbar case insensitive Graylog Central (peer support) sidecar , winlogbeat	2	2958	December 16, 2019
Search Query Errors After Upgrade v2.4.7 to v3.3.5 Graylog Central (peer support)	3	348	September 17, 2020

Upgrade from 2.4.6 to 2.5, ES6 - Cannot OR search anymore?

Related topics