Elasticsearch -- get count of log type in last 24 hours

Question

So I have 3 types of logs in my Elasticsearch index-

CA, CT, And Acc

I am trying to query Elasticsearch to get a count of each for the 24 hours before the call but I'm not having much luck combining them.

Calling

10.10.23.45:9200/filebeat-*/_count

With

{
 "query":{
    "term": {"type":"ct"}
 }
}

Gets me the count, but trying to add the time-range has proved to be fruitless. When I try to add a range to the same query -- it doesn't work

I tried using:

{
    "query":{
        "term": {"type":"ct"},
        "range":{
            "date":{
                "gte": "now-1d/d",
                "lt" : "now"
            }
        }
    }
}

But was returned

{
"error": {
    "root_cause": [
        {
            "type": "parsing_exception",
            "reason": "[term] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
            "line": 5,
            "col": 3
        }
    ],
    "type": "parsing_exception",
    "reason": "[term] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
    "line": 5,
    "col": 3
},
"status": 400
}

Answer 1

The following worked for me (note -- this is a post sent to elasticsearch:9200/index/_search )

{"query":{"bool":{"must":[{"query_string":{"analyze_wildcard":true,"query":"type:\"acc\""}},{"range":{"@timestamp":{"gte":"now-1h","lte":"now","format":"epoch_millis"}}}]}}}

Answer 2

You need to use Bool Query to combine two types of queries into one. Try this instead.

POST _search
{
  "query": {
    "bool" : {
      "must" : {
        "term": {"type":"ct"}
      },
      "must" : {
        "range":{
            "date":{
                "gte": "now-1d/d",
                "lt" : "now"
            }
        }
      }
    }
  }
}