23

I am running this query against AWS Elasticsearch 5.1 and getting a malformed query error. Here is the body of the request. I am basically just checking if the field exists during the time range.

{
  "query": {
    "bool": {
      "filter": {
        "bool": {
          "must": [
            {
              "range": {
                "@timestamp": {
                  "gt": "2017-03-21T15:37:08.595919Z",
                  "lte": "2017-04-21T15:52:08.595919Z"
                }
              }
            },
            {
              "query": [
                {
                  "query_string": {
                    "query": "_exists_: $event.supplier"
                  }
                }
              ]
            }
          ]
        }
      }
    }
  },
  "sort": [
    {
      "@timestamp": {
        "order": "asc"
      }
    }
  ]
}
lorem
  • 1,149
  • 3
  • 12
  • 25

1 Answers1

19

The second must statement was incorrect:

{
  "query": {
    "bool": {
      "filter": {
        "bool": {
          "must": [
            {
              "range": {
                "@timestamp": {
                  "gt": "2017-03-21T15:37:08.595919Z",
                  "lte": "2017-04-21T15:52:08.595919Z"
                }
              }
            },
            {
              "query_string": {
                "query": "_exists_: $event.supplier"
              }
            }
          ]
        }
      }
    }
  },
  "sort": [
    {
      "@timestamp": {
        "order": "asc"
      }
    }
  ]
}
Andrei Stefan
  • 51,654
  • 6
  • 98
  • 89
  • 65
    where on the earth the second must statement is? – dmi3y Sep 14 '18 at 22:00
  • 4
    Having diffed the answer, they've removed the `query` specifier that used to be around `query_string` – muddyfish Dec 21 '18 at 17:09
  • 20
    For those coming here in the future: The `must` is an array, so the second set of curly braces that holds the `query_string` is the second `must`. – Aterxerxes May 30 '19 at 14:58
  • 1
    so it was the second item in the must array – jrivam Nov 25 '19 at 16:14
  • 1
    @tar there is nothing to explain. The original query was malformed, which means that there was a syntax error in it. No error in the logic of the query of how it was created, just a syntax error. I've corrected the error and posted the correct query. If you compare the two you'll notice the difference. Downvoting a correct answer with an explanation like that is unfair. I hope you'll find my other answers on the Elasticsearch subject more useful to you. – Andrei Stefan Mar 10 '20 at 06:13
  • @AndreiStefan can you also explain the error "no start_object after query name", what on earth does it mean? in this case what exactly is a "start_object" and what are the possible things/keywords that could be a start_object? – Thomas Nguyen Jan 18 '23 at 05:52
  • @ThomasNguyen in JSON format `{ }` is considered an "object". Start of an object is the opening curly bracket. `no start_object after query name` means the JSON parser is expecting an opening curly bracket after the "query name". – Andrei Stefan Jan 18 '23 at 10:45