Problems filtering values to represent

Hi,

I am trying to graph the available disk space of an instance. But I want to discriminate discs that contain “loop” and “lxcfs”.

I have tried to insert in Query the following query “host.hostname: $ hostname and not system.filesystem.device_name:” lxcfs “and not system.filesystem.device_name: / dev / loop *”, but the result is the same.

{
“xhrStatus”: “complete”,
“request”: {
“method”: “POST”,
“url”: “api/datasources/proxy/1/_msearch?max_concurrent_shard_requests=5”,
“data”: “{“search_type”:“query_then_fetch”,“ignore_unavailable”:true,“index”:”*"}\n{“size”:0,“query”:{“bool”:{“filter”:[{“range”:{"@timestamp":{“gte”:1583737820344,“lte”:1583759420344,“format”:“epoch_millis”}}},{“query_string”:{“analyze_wildcard”:true,“query”:“host.hostname:(\“elk\\-ssl\”) and not system.filesystem.device_name:\“lxcfs\” and not system.filesystem.device_name: loop “}}]}},“aggs”:{“3”:{“terms”:{“field”:“system.filesystem.mount_point”,“size”:10,“order”:{“1”:“desc”},“min_doc_count”:1},“aggs”:{“1”:{“avg”:{“field”:“system.filesystem.used.pct”}},“2”:{“date_histogram”:{“interval”:“15s”,“field”:”@timestamp",“min_doc_count”:0,“extended_bounds”:{“min”:1583737820344,“max”:1583759420344},“format”:“epoch_millis”},“aggs”:{“1”:{“avg”:{“field”:“system.filesystem.used.pct”}}}}}}}}\n"
},
“response”: {
“took”: 826,
“responses”: [
{
“error”: {
“root_cause”: [],
“type”: “search_phase_execution_exception”,
“reason”: “”,
“phase”: “fetch”,
“grouped”: true,
“failed_shards”: [],
“caused_by”: {
“type”: “too_many_buckets_exception”,
“reason”: “Trying to create too many buckets. Must be less than or equal to: [10000] but was [10001]. This limit can be set by changing the [search.max_buckets] cluster level setting.”,
“max_buckets”: 10000
}
},
“status”: 503
}
],
“$$config”: {
“method”: “POST”,
“url”: “api/datasources/proxy/1/_msearch?max_concurrent_shard_requests=5”,
“data”: “{“search_type”:“query_then_fetch”,“ignore_unavailable”:true,“index”:”
”}\n{“size”:0,“query”:{“bool”:{“filter”:[{“range”:{"@timestamp":{“gte”:1583737820344,“lte”:1583759420344,“format”:“epoch_millis”}}},{“query_string”:{“analyze_wildcard”:true,“query”:“host.hostname:(\“elk\\-ssl\”) and not system.filesystem.device_name:\“lxcfs\” and not system.filesystem.device_name: loop *”}}]}},“aggs”:{“3”:{“terms”:{“field”:“system.filesystem.mount_point”,“size”:10,“order”:{“1”:“desc”},“min_doc_count”:1},“aggs”:{“1”:{“avg”:{“field”:“system.filesystem.used.pct”}},“2”:{“date_histogram”:{“interval”:“15s”,“field”:"@timestamp",“min_doc_count”:0,“extended_bounds”:{“min”:1583737820344,“max”:1583759420344},“format”:“epoch_millis”},“aggs”:{“1”:{“avg”:{“field”:“system.filesystem.used.pct”}}}}}}}}\n"
}
}
}

What is the mistake?

My best guess is that your query should look like this:

host.hostname:$hostname AND NOT system.filesystem.device_name:(lxcfs OR \/dev\/loop*)