Query : Field Exists ?? Its Possible?

[portalthiago]

Guys, its possible in elastalert2 having a test on a alert query that respond if a field exists?

rule.mitre.tactic: "exists" as example. This will help alot. Anyone know about it? Thx

[nsano-rururu]

try it.

filter:
  - query:
      query_string:
        query: "_exists_:rule.mitre.tactic"

[nsano-rururu]

yelp / elastalert past issues

Yelp/elastalert#670 (comment)

Osquery data? :)

Are you using timestamp_field: _timestamp?

This looks like it's missing a timestamp field where it expects one. It probably shouldn't crash like this, but maybe try adding to the filters

query:
  query_string:
    query: "_exists_: _timestamp"

[nsano-rururu]

@jertel

Is it the answer to the discussion below?
#687

[jertel]

Yes, thanks for pointing that mistake out. I moved the reply to the correct discussion.

[portalthiago]

Thx Guys! For the enlightenment!