BenjaFriend
Reputation: 664
Query items by timestamp in Logstash
So I want to get all events since a certain time, for example since "2017-03-02T21:56:53.033Z".
I made a runtime_timestamp field that just copies the @timestamp field, because I am parsing this data into C# and @ symbols don't play nice in there.
Here is my Logstash filter for that, which DOES work. I know this for a fact.
filter {
mutate {
add_field => ["runtime_timestamp", "%{@timestamp}"]
}
}
Here is the what I have now, that does not work.
{
"query": {
"range": {
"runtime_timestamp":
"2017-03-02T21:56:53.033Z"
},
"_source": {
"includes": [
"runtime_timestamp",
"id_orig_p",
"id_orig_p",
"id_orig_h",
"conn_state",
"id_resp_h",
"id_resp_p",
"service",
"proto",
"tags"
]
},
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
Now, I get the following error from this query.
{
"error" : {
"root_cause" : [
{
"type" : "parsing_exception",
"reason" : "[range] query does not support [runtime_timestamp]",
"line" : 5,
"col" : 9
}
],
"type" : "parsing_exception",
"reason" : "[range] query does not support [runtime_timestamp]",
"line" : 5,
"col" : 9
},
"status" : 400
}
I tried this query also with timestamp in place of runtime_timestamp, and I still get the same error.
Upvotes: 0
Views: 217
Answers (1)
Christian Häckh
Reputation: 522
Your range query is malformed. Try this instead (gte means greater-than-or-equal):
{
"query": {
"range" : {
"runtime_timestamp" : {
"gte": "2017-03-02T21:56:53.033Z",
}
}
}
}
Upvotes: 1
Related Questions
- Logstash - Use current date as timestamp date
- Using log timestamp as @timestamp in elasticsearch
- Elasticsearch failed to parse [timestamp]
- Logstash date parsing as timestamp using the date filter
- How to query elasticsearch to get data between two timestamps
- Logstash: timestamp pattern
- Logstash unable to parse timestamp
- Need to extract the timestamp from a logstash elasticsearch cluster
- How to use _timestamp in logstash elasticsearch
- Logstash filter timestamp from log message