Simple Query_String not working?

[swiftbird07]

Hey guys,

love this project so far and I already got ElastAlert to give me alerts if I use queries like this:

filter:
- term:
    sprocess.name: "firefox"

But if I want to use query_strings (to in the future use OR etc..) like this:

filter:
- query:
     query_string:
       query: "process.name : 'firefox'"

it results in:

Traceback (most recent call last):
  File "/etc/elastalert/elastalert_alexandre/virtualenvelastalert/bin/elastalert", line 11, in <module>
    load_entry_point('elastalert==0.2.4', 'console_scripts', 'elastalert')()
  File "/etc/elastalert/elastalert_alexandre/virtualenvelastalert/lib/python3.8/site-packages/elastalert-0.2.4-py3.8.egg/elastalert/elastalert.py", line 2051, in main
    client = ElastAlerter(args)
  File "/etc/elastalert/elastalert_alexandre/virtualenvelastalert/lib/python3.8/site-packages/elastalert-0.2.4-py3.8.egg/elastalert/elastalert.py", line 140, in __init__
    self.rules = self.rules_loader.load(self.conf, self.args)
  File "/etc/elastalert/elastalert_alexandre/virtualenvelastalert/lib/python3.8/site-packages/elastalert-0.2.4-py3.8.egg/elastalert/loaders.py", line 126, in load
    raise EAException('Error loading file %s: %s' % (rule_file, e))
elastalert.util.EAException: Error loading file siem_rules/p3_elastic.yaml: Error initializing rule Example p3_elastic_trigger: Error searching for existing terms: RequestError(400, 'x_content_parse_exception', {'error': {'root_cause': [{'type': 'parsing_exception', 'reason': 'unknown query [query]', 'line': 1, 'col': 228}], 'type': 'x_content_parse_exception', 'reason': '[1:228] [bool] failed to parse field [must]', 'caused_by': {'type': 'parsing_exception', 'reason': 'unknown query [query]', 'line': 1, 'col': 228, 'caused_by': {'type': '**named_object_not_found_exception**', 'reason': '[1:228] unknown field [query]'}}}, 'status': 400})

Can anyone help me here?

[keny2021]

hi @maof97 , Have you had any luck with your queries after @nsano-rururu suggestions?