If I define the query like this
$match:
{
syslog_type:"sophos_xg",
log_type:"Firewall",
$expr: {$eq : ["$month_document",{{ select_month.value }}] }
{{VAR_src_ip.value}}
}
With VAR_src_ip.value:
,src_ip: {$in : ["192.168.222.100", "93.113.208.70"]}
Comes a JSON error:
The value given - [ { $addFields: { month_document: { "$month": {$toDate : "$timestamp" }} } }, { $match: { syslog_type:"sophos_xg", log_type:"Firewall", $expr: {$eq : ["$month_document",6] } **,src_ip: {$in : ["192.168.222.100","93.113.208.70"]} } }**, { $group: { "_id": { "src_ip" : "$src_ip", "year": {$toString: { "$year": {$toDate : "$timestamp" }}}, "month_number" : { "$month": {$toDate : "$timestamp" }}, "month": {$toString: { "$month": {$toDate : "$timestamp" }}}, "week": {$toString: { "$week": {$toDate : "$timestamp" }}}, "dayOfWeek": {$toString: { "$dayOfWeek": {$toDate : "$timestamp" }}} }, count: {$sum:1} } }, { $sort : {count : -1} } , { $project: { src_ip : "$_id.src_ip", year : "$_id.year", month_number : "$_id.month_number", week : {$concat : ["$_id.week","/","$_id.year"]}, month : {$concat : ["$_id.month","/","$_id.year"]}, dayOfWeek : {$concat : ["$_id.week","/","$_id.year","/","$_id.dayOfWeek"]}, count : "$count", _id : false } }, { $limit : 30 } ]
must be valid JSON.