Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
v2.2.0
Describe the issue:
Hi guys,
I want to configure a monitor, where certain values from multiple queries should be a trigger for an alert.
Now, I want to exclude one value in one query (operator “is not”?).
Example: Trigger the alert, when value x in query 1 and query 2 is logged but not when the value “y” is logged in query 3.
The following query code shows my current monitor with the classic “and” operators.
How can I add an “is not” condition?
Relevant Logs or Screenshots:
{
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "{{period_end}}||-10m",
"to": "{{period_end}}",
"include_lower": true,
"include_upper": true,
"format": "epoch_millis",
"boost": 1
}
}
},
{
"match_phrase": {
"winlog.event_data.TargetUserName": {
"query": "USERNAME",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
},
{
"match_phrase": {
"agent.hostname": {
"query": "HOSTNAME",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
},
{
"match_phrase": {
"event.code": {
"query": "1234",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"aggregations": {}
}