query_string filter does not work

[ben-sec]

Hello!

Why is this simple query_string filter not working:

filter:

• query: query_string: query: "event.module: sysmon AND NOT process.command_line: dwm.exe"

I get

Error initializing rule New User found: Error searching for existing terms: RequestError(400, 'x_content_parse_exception', {'error': {'root_cause': [{'type': 'parsing_exception', 'reason': 'unknown query [que1:231] [bool] failed to parse field [must]', 'caused_by': {'type': 'parsing_exception', 'reason': 'unknown query [query]', 'line': 1, 'col': 231, 'caused_by': {'type': 'named_object_not_found_exception', 'reason': '[1:231] unknown field

What's wrong here? Thanks in advance!

Cheers, Ben

[nsano-rururu]

look https://github.com/Yelp/elastalert/issues/3178

[ben-sec]

Should I open a new issue under Elastalert 2?

[nsano-rururu]

of course

[saurabhPV]

@ben-sec Did you find the solution? Are you getting this error for New Term rule ? It works for every rule except this type

[ben-sec]

No, I didn't and yes, I tried it for a New Term rule.

[saurabhPV]

Breadcrumb for whoever stumbles upon this issue https://github.com/jertel/elastalert2/discussions/459