how to query nested value in elastalert2 using query_strings

[ziaul-ict2020]

Hi team,

I have created a frequency rule for querying a nested field. Here i have shared the rule file.

name: Backend_Error_Status_Alert
is_enabled: True
type: frequency
index: api.log*

num_events: 10
timeframe:
  hours: 1


filter:
- query:
    query_string:
      query: "http.url: https://hidden AND http.response_code: 200"

alert:
- "googlechat"
googlechat_webhook_url: "hidden"
googlechat_format: "card"
googlechat_header_title: "Warning For Event"
alert_text_type: alert_text_jinja
alert_text: |
        Service: {{service}}
        URL: {{url}}
        httpTotaltime: {{httpTotalTime}}
        msisdn: {{msisdn}}
        http: {{http[0].url}}
        response code: {{http[0].response_code}}
        Number_Hits: {{num_hits}}
        Number_Event: {{num_matches}}

when I test this rule, I have been got the below error.

INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent.
            To send them but remain verbose, use --verbose instead.

Didn't get any results.

INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent.
                To send them but remain verbose, use --verbose instead.
INFO:elastalert:1 rules loaded
INFO:apscheduler.scheduler:Adding job tentatively -- it will be properly scheduled when the scheduler starts
ERROR:elastalert:Error running query: ['Failed to parse query [http.url: hidden AND http.response_code: 200]']

Would have written the following documents to writeback index (default is elastalert_status):

elastalert_error - {'message': "Error running query: ['Failed to parse query [http.url: hidden AND http.response_code: 200]']", 'traceback': ['Traceback (most recent call last):', '  File "/usr/local/lib/python3.11/site-packages/elastalert/elastalert.py", line 387, in get_hits', '    raise ElasticsearchException(errs)', "elasticsearch.exceptions.ElasticsearchException: ['Failed to parse query [http.url: hidden AND http.response_code: 200]']"], 'data': {'rule': 'Backend_Error_Status_Alert', 'query': {'query': {'bool': {'filter': {'bool': {'must': [{'range': {'@timestamp': {'gt': '2023-01-23T18:47:56.947551Z', 'lte': '2023-01-23T19:17:56.947551Z'}}}, {'query_string': {'query': 'http.url: hidden AND http.response_code: 200'}}]}}}}, 'sort': [{'@timestamp': {'order': 'asc'}}]}}}

Please help me with your valuable suggest how I will be able to resolve this issue.
Thanks
Ziaul

[jertel]

On this line:

      query: "http.url: https://hidden AND http.response_code: 200"

Try wrapping the URL value in escaped quotes:

      query: "http.url: \"https://hidden\" AND http.response_code: 200"

[ziaul-ict2020]

Thank you so much. The issue has been resolved