Reputation: 2870
ES query ignoring time range filter
I have mimicked how kibana does a query search and have come up with the below query. Basically I'm looking for the lat 6 days of data (including those days where there is no data, since I need to feed it to a graph). But the returned buckets is giving me more than just those days. I woul like to understand where I'm going wring with this.
{
"version": true,
"size": 0,
"sort": [
{
"@timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}
],
"_source": {
"excludes": []
},
"aggs": {
"target_traffic": {
"date_histogram": {
"field": "@timestamp",
"interval": "1d",
"time_zone": "Asia/Kolkata",
"min_doc_count": 0,
"extended_bounds": {
"min": "now-6d/d",
"max": "now"
}
},
"aggs": {
"days_filter": {
"filter": {
"range": {
"@timestamp": {
"gt": "now-6d",
"lte": "now"
}
}
},
"aggs": {
"in_bytes": {
"sum": {
"field": "netflow.in_bytes"
}
},
"out_bytes": {
"sum": {
"field": "netflow.out_bytes"
}
}
}
}
}
}
},
"stored_fields": [
"*"
],
"script_fields": {},
"docvalue_fields": [
"@timestamp",
"netflow.first_switched",
"netflow.last_switched"
],
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "( flow.src_addr: ( \"10.5.5.1\" OR \"10.5.5.2\" ) OR flow.dst_addr: ( \"10.5.5.1\" OR \"10.5.5.2\" ) ) AND flow.traffic_locality: \"private\"",
"analyze_wildcard": true,
"default_field": "*"
}
}
]
}
}
}
Upvotes: 0
Views: 278
Answers (1)
Reputation: 217594
If you put the range filter inside your aggregation section without any date range in your query, what is going to happen is that your aggregations will run on all your data and metrics will be bucketed by day over all your data.
The range query on @timestamp should be moved inside the query section so as to compute aggregations only on the data you want, i.e. the last 6 days.
Upvotes: 1
Related Questions
- ElasticSearch: How to query a date field using an hours-range filter
- Elastic search fail to do a timestamp range query
- Elasticsearch time-range query and data
- Elasticsearch time field and range query
- Date range Query in kibana 5.6.3 not working with @timestamp
- How correctly to filter entries by date range in Elasticsearch?
- elasticsearch 6: hours-range filter from @timestamp
- No exact match for RANGE query for a specific time
- Elastic Search Date Range Filter Not Working
- How can I search on time ranges in Elasticsearch?