Query filters are not applied

dennis_u · October 27, 2025, 8:34pm

Versions: OS 3.2.0

Describe the issue: I want to use a python script to send multiple queries to OS. However, I get always the most recent log entry. The filter of the query is not applied.

My query is like this:

GET /syslog-*/_search
{
  "query": {
    "query_string": {
      "query": "syslog_program:suricata and fw_name: sws01.*********** and suricata.alert.signature:* and suricata.src_ip:* and suricata.dest_ip:10.10.* and not suricata.src_ip:10.10.*"
    }  
  },
  "size": 2,
  "sort": [
    {
      "@timestamp": {
        "order": "desc"
      }
    }
  ]
}

I want to filter to syslog_program: suricata, but I get all syslog_program values. In case of the screenshot, it is “charon”. The usage of match is not possible, since I have several query strings I iterate. I do not get syntaxt errors, I guess it is more a logical error, but I do not get it.

Configuration: nothing relevant

Relevant Logs or Screenshots:

Anthony · October 28, 2025, 10:38am

@dennis_u can you provide the mappings of this index? Is the query being applied to a text field or keyword?

If you have the following mappings:

PUT syslog-demo
{
  "mappings": {
    "properties": {
      "@timestamp": { "type": "date" },

      "syslog_program": { "type": "keyword" },
      "fw_name":        { "type": "keyword" },

      "suricata": {
        "properties": {
          "alert": {
            "properties": {
              "signature": { "type": "keyword" }
            }
          },
          "src_ip":  { "type": "ip" },
          "dest_ip": { "type": "ip" }
        }
      }
    }
  }
}

You can use this query:

GET syslog-demo/_search
{
  "size": 10,
  "sort": [{ "@timestamp": "desc" }],
  "query": {
    "query_string": {
      "query": "syslog_program:\"suricata\" AND fw_name:\"sws01.example\" AND _exists_:suricata.alert.signature AND _exists_:suricata.src_ip AND suricata.dest_ip:\"10.10.0.0/16\" AND NOT suricata.src_ip:\"10.10.0.0/16\""
    }
  }
}

dennis_u · October 29, 2025, 8:03am

Thx for your reply.

I thought the value assignment in logstash does this. But I read, this is independent.

I wanted to change the value in the index pattern, but is not possible:

Do I have to change it in the indexes? I create everyday a new one.

I am wondering that I can use OSD for searching, but not direct on OS level.

(P.S.: suricata creates several dest_ip fields. I am aware of it that I used suricata.alert.dest_ip in the opener)

Edit: Ah, the way to go is to create an ‘index template’ for (in my case) syslog-* and to put the mappings in there. Every new index has the new mappings, right?

Anthony · October 29, 2025, 9:57am

@dennis_u yes, index template is the way to go if you want to ensure the mapping is consistent.

mkhl · November 4, 2025, 6:28pm

I guess space after fw_name: might cause a problem. /_validate/query?explain=true Validate query - OpenSearch Documentation might give clue what’s going on here.

Topic		Replies	Views
Support multiple inputs for a Monitor Alerting	5	1310	August 31, 2020
Query not working when using timestamp filter Alerting	3	6658	August 31, 2020
Alias with filter doesn't work with Opensearch OpenSearch troubleshoot , configure	8	927	July 28, 2023
Kibana Alerting Setup and Testing Open Source Elasticsearch and Kibana	8	1021	February 2, 2021
Kibana Filtering Open Source Elasticsearch and Kibana	1	481	February 7, 2023

Query filters are not applied

Related topics