How does ELK queries work with Harness?

While configuring Query Type in ELK workflow verification there are two ways:

TERM to finds documents that contain the exact term specified.

Example TERM query created from Harness workflow execution:

{“query”: {“bool”: {“filter”: [{“bool”: {“should”: [{“term”: {“host.name”: “Prod-Ingestion-Storm-Supervisor”} } ] } } ] } } }

MATCH queries are used for performing match which can be of form “starts with” match string. Also it accepts text, numerics, and dates, analyze them, and construct a query.

Example MATCH query created by Harness workflow execution:

{“query”: {“bool”: {“filter”: [{“bool”: {“should”: [{“match”: {“host.name”: “Prod-Ingestion-Storm-Supervisor”} } ] } } ] } } }

In above two queries while using TERM, it will only return results if the host.name matches only value “Prod-Ingestion-Storm-Supervisor” in logs, and won’t work for any suffix added like “Prod-Ingestion-Storm-Supervisor-04b”.

Whereas on using MATCH with the same host.name, it will even match entries with a suffix like “Prod-Ingestion-Storm-Supervisor-04b”.

2 Likes