Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch Dashboards
Describe the issue:
I’m new to DQL but I’ve read its documentation to get a high level overview on how to utilize it. I’m trying to count the number of occurrences of a “log” item within a set time range that contains the a phrase such as “admin/x1/x2” but excludes any phrase like “admin/x1/x2/{unique_id}” or “admin/x1/x2/x3”.
I’ve attempted numerous queries I thought it was right but it didn’t work out in the end. For example, typing in
log: “admin/x1/x2”
grants me the same results as
log: “admin/x1/x2/”
where the latter query still returns logs that do not contain the final slash; though querying without any slashes (such as between admin and x1) will return nothing, so it’s confusing on how slashes are processed in the query.
I’ve also attempted using wildcards in a format such as this:
log: “admin/x1/x2” AND NOT log: x2/*
The query ends up returning only the results of the first half, as if NOT log: x2/* doesn’t affect anything.
I’m not sure what else I can do to solve this and I’ve already tried resolving this by reading what I can through the documentation, but please let me know if I missed an easy solution to this problem!
Configuration:
Relevant Logs or Screenshots: