PUT _xpack/watcher/watch/log_error_watch
{
"trigger": {
"schedule": {
"interval": "10s"
}
},
"input": {
"search": {
"request": {
"indices": [
"filebeat-2017.01.02"
],
"body": {
"sort": [
{
"#timestamp": {
"order": "desc"
}
}
],
"query": {
"range": {
"offset": {
"gte": 1000,
"lte": 2000
}
},
"match": {
"source": "/var/log/apache2/access.log"
}
},
"size": 5
}
}
}
}
}
[o.e.m.j.JvmGcMonitorService] [hj-test156] [gc][11042] overhead, spent [701ms] collecting in the last [1s]
[2017-01-02T15:32:04,311][ERROR][o.e.x.w.i.s.ExecutableSimpleInput] [hj-test156] failed to execute [search] input for watch [log_error_watch], reason [[range] malformed query, expected [END_OBJECT] but found [FIELD_NAME]]
Your query is malformed, you need to write it like this
...
"query": {
"bool": {
"must": [
{
"range": {
"offset": {
"gte": 1000,
"lte": 2000
}
}
},
{
"match": {
"source": "/var/log/apache2/access.log"
}
}
]
}
}
},
...
UPDATE
For a range with a date field you can do it like this:
{
"range": {
"#timestamp": {
"gte": "2017-01-02T05:23:34.731Z",
"lte": "2017-01-03T05:23:34.731Z"
}
}
},
Related
I can use aggregate to make some stats between two timestamps as following:
{
"size": 0,
"query": {
"bool": {
"filter": [
{
"term": {
"status": "ok"
}
},
{
"term": {
"deviceId": "123456789"
}
},
{
"range": {
"time": {
"gte": 1669852800,
"lt": 1671062400
}
}
}
]
}
},
"aggs": {
"results": {
"date_histogram": {
"field": "time",
"fixed_interval": "60",
}
}
}
}
Is it possible to query the results contain specific time range daily only? For example, 7am - 9am daily between Dec.1 to Dec.15. How to achieve it?
I found the solution on elasticsearch v7.15.2 as following:
{
"size": 0,
"query": {
"bool": {
"filter": [
{
"term": {
"status": "ok"
}
},
{
"term": {
"deviceId": "123456789"
}
},
{
"range": {
"time": {
"gte": 1669852800,
"lt": 1671062400
}
}
},
{
"script": {
"script": {
"source": "doc.time.value.getHourOfDay() >= params.min && doc.time.value.getHourOfDay() < params.max",
"params": {
"min": 8,
"max": 10
}
}
}
}
]
}
},
"aggs": {
"results": {
"date_histogram": {
"field": "time",
"fixed_interval": "60"
}
}
}
}
The syntax is slightly different from the comment above, but it works.
I am not able to perform nested aggregation in a specific date range.
Ideally, I would want to get % values of two fields for the previous day and the current day. Here's the JSON (this is a part of the elastic watcher and not the whole config):
{
"metadata":{
"threshold":5,
"interval":"2m",
"window":"2d"
},
"trigger":{
"schedule":{
"interval":"2m"
}
},
"input":{
"search":{
"request":{
"indices":[
"filebeat-*"
],
"types":[
"doc"
],
"body": {
"aggs": {
"aggs1": {
"range": {
"date_range": {
"ranges": [
{
"from": "now-2d/d"
},
{
"to": "now-2d/d"
}
]
},
"aggs": {
"max": {
"script": {
"source": "(doc['upstream'].value\/100)"
}
}
}
}
},
"aggs2": {
"range": {
"date_range": {
"ranges": [
{
"from": "now-2d/d"
},
{
"to": "now-2d/d"
}
]
}
},
"aggs": {
"max": {
"script": {
"source": "(doc['downstream'].value\/100)"
}
}
}
},
"aggs3": {
"range": {
"date_range": {
"ranges": [
{
"from": "now-1d/d"
},
{
"to": "now/d"
}
]
}
},
"aggs": {
"max": {
"script": {
"source": "(doc['upstream'].value\/100)"
}
}
}
},
"aggs4": {
"range": {
"date_range": {
"ranges": [
{
"from": "now-1d/d"
},
{
"to": "now/d"
}
]
}
},
"aggs": {
"max": {
"script": {
"source": "(doc['downstream'].value\/100)"
}
}
}
}
},
"query": {
"bool": {
"filter": {
"range": {
"#timestamp": {
"lte": "now",
"gte": "now-{{ctx.metadata.window}}"
}
}
}
}
}
}
}
}
}
}
All I want is to have 4 values for two fields for current day and previous day so that I can get the difference between the values for further procesing.
Thanks.
I have documents in the following style in my index:
{
"docType": {
"valuesOverTime": [
{
"begin": 1488442858570,
"end": 1488442860570,
"values": [
{
"name": "level",
"segCount": 4
}
]
},
{
"begin": 1488442860571,
"end": 1488442890592,
"mcdn": [
{
"name": "level",
"segCount": 10
}
]
},
{
"begin": 1488442890593,
"end": 1488442890600,
"mcdn": [
{
"name": "level",
"segCount": 7
}
]
}
]
}
}
and want to query the sum of the docType.valuesOverTime.values.segCount in a certain time range, like the following range
{
"range": {
"docType.valuesOverTime.begin": {
"gte": 1488442858570,
"lte": 1488442860571
}
}
},
{
"range": {
"docType.valuesOverTime.end": {
"gte": 1488442860570,
"lte": 1488442890592
}
}
}
should get me the sum of the first two entries: 14.
However I am absolutely stuck getting the query right! I always get the sum of all the entries in docType.valueOverTime.values.segCount being 21 in this case.
I tried the following queries and some variations on them which where of course all wrong:
{
"size": 0,
"aggs": {
"myfilter": {
"filter": {
"bool": {
"must": [
{
"range": {
"docType.valuesOverTime.begin": {
"gte": 1488442858570,
"lte": 1488442860571
}
}
},
{
"range": {
"docType.valuesOverTime.end": {
"gte": 1488442860570,
"lte": 1488442890592
}
}
}
]
}
},
"aggs": {
"summe": {
"sum": {
"field": "docType.valuesOverTime.values.segCount"
}
}
}
}
}
}
and
{
"_source": "docType.valuesOverTime.values",
"query": {
"constant_score" : {
"filter" : {
"bool": {
"must": [
{
"range": {
"docType.valuesOverTime.begin": {
"gte": 1488442858570,
"lte": 1488442860571
}
}
},
{
"range": {
"docType.valuesOverTime.end": {
"gte": 1488442860570,
"lte": 1488442890592
}
}
}
]
}
}
}
},
"aggs": {
"summe": {
"sum": {
"field": "docType.valuesOverTime.values.segCount"
}
}
}
}
Can someone please tell me, what I got wrong? And how to do it right!
Working on es 5.2.2 with the following mapping
"valuesOverTime": {
"properties": {
"begin": {
"type": "long"
},
"end": {
"type": "long"
},
"values": {
"properties": {
"name": {
"type": "keyword"
},
"segCount": {
"type": "long"
}
}
}
}
}
I solved it myself:
first, everything in valuesOverTime needs to be nested, so that the mapping looks like
"valuesOverTime": {
"type": nested"
"properties": {
"begin": {
"type": "long"
},
"end": {
"type": "long"
},
"values": {
"properties": {
"name": {
"type": "keyword"
},
"segCount": {
"type": "long"
}
}
}
}
}
Then I can query as follows:
{
"size": 0,
"aggs": {
"nestedAcq": {
"nested": {"path": "docType.valuesOverTime"},
"aggs": {
"rangeAcq": {
"range": {
"field": "ocType.valuesOverTime.begin",
"ranges": [
{
"from": 1488442858570,
"to": 1488442860572
}
]
},
"aggs": {
"theSum": {
"sum": {
"field": "docType.valuesOverTime.values.segCount"
}
}
}
}
}
}
}
}
and get
"theSum": {
"value": 14
}
Idea: Search Top events on specific range and order by start_time. Like:
{
"from": 0,
"size": 7,
"query": {
"filtered": {
"query": { "match_all": {} },
"filter": {
"and": [
{ "bool": { "must_not": { "term": { "status": "OK" } } } },
{ "bool": { "must": { "term": { "is_blocked": false } } } }, {
"range": {
"start_time": {
"gte": "2016-01-01",
"lte": "2016-03-01"
}
}
}, {
"bool": {
"must": {
"geo_distance": {
"distance": "150km",
"coordinates": "xx.xxx, zz.zz "
}
}
}
}
]
}
}
},
"sort": [{ "start_time": "asc" },
{ "attending": "desc" }
]
}
I quite new on this concept of aggregations so still with basic problems to understand
I wanna 7 results of top events for the next 2 months. So I have two attributes to look. The max of people attending(attendings) is the definition of Top, but also I wanna order this by time(start_time: asc)
What I start to wrote but is wrong:
{
"aggs": {
"aggs": {
"event_interval": {
"date_histogram": {
"field": "start_time",
"interval": "2M",
"format": "dateOptionalTime"
}
},
"max_attending": { "max": { "field": "attending" } },
"_source": {
"include": [
"name"
]
}
}
}
}
I'm not sure you need to be using an aggregation to get what you are looking for, I think that a simple query can yield the results you would like to see, try this:
{
"size": 7,
"sort": {
"attending": {
"order": "desc"
}
},
"query": {
"bool": {
"filter": [
{
"range": {
"start_time": {
"gte": "now-2M",
"lte": "now"
}
}
}
]
}
}
}
I have a filtered elasticsearch query that works, but I want to use minimum_should_match to instruct ES to return only results that have at least 3 should matches. But I can't seem to figure out where to put minimum_should_match. Where should I put it?
{
"size": 100,
"sort": {
"price_monthly": "asc"
},
"query": {
"filtered": {
"query": {
"match_all": []
},
"filter": {
"bool": {
"must": [],
"should": [
[
{
"range": {
"mb.untouched": {
"gte": "0",
"lt": "500"
}
}
},
{
"range": {
"mb.untouched": {
"gte": "500",
"lt": "1000"
}
}
}
],
[
{
"range": {
"minutes.untouched": {
"gte": "0",
"lt": "100"
}
}
},
{
"range": {
"minutes.untouched": {
"gte": "200",
"lt": "300"
}
}
}
],
[
{
"range": {
"sms.untouched": {
"gte": "750",
"lt": "1000"
}
}
}
]
],
"must_not": {
"missing": {
"field": "provider.untouched"
}
}
}
},
"strategy": "query_first"
}
},
"aggs": {
"provider.untouched": {
"terms": {
"field": "provider.untouched"
}
},
"prolong.untouched": {
"terms": {
"field": "prolong.untouched"
}
},
"duration.untouched": {
"terms": {
"field": "duration.untouched"
}
},
"mb.untouched": {
"histogram": {
"field": "mb.untouched",
"interval": 500,
"min_doc_count": 1
}
},
"sms.untouched": {
"histogram": {
"field": "sms.untouched",
"interval": 250,
"min_doc_count": 1
}
},
"minutes.untouched": {
"histogram": {
"field": "minutes.untouched",
"interval": 100,
"min_doc_count": 1
}
},
"price_monthly.untouched": {
"histogram": {
"field": "price_monthly.untouched",
"interval": 5,
"min_doc_count": 1
}
}
}
}
In order to use minimum_should_match, you need to rewrite your filtered query a little bit, i.e. you need to move your should clause to the query part of the filtered query and just keep must_not in the filter part (because missing is a filter). Then you can add minimum_should_match: 3 in the bool query part as shown below:
{
"size": 100,
"sort": {
"price_monthly": "asc"
},
"query": {
"filtered": {
"query": {
"bool": {
"minimum_should_match": 3,
"must": [],
"should": [
[
{
"range": {
"mb.untouched": {
"gte": "0",
"lt": "500"
}
}
},
{
"range": {
"mb.untouched": {
"gte": "500",
"lt": "1000"
}
}
}
],
[
{
"range": {
"minutes.untouched": {
"gte": "0",
"lt": "100"
}
}
},
{
"range": {
"minutes.untouched": {
"gte": "200",
"lt": "300"
}
}
}
],
[
{
"range": {
"sms.untouched": {
"gte": "750",
"lt": "1000"
}
}
}
]
]
}
},
"filter": {
"bool": {
"must_not": {
"missing": {
"field": "provider.untouched"
}
}
}
},
"strategy": "query_first"
}
},
"aggs": {
"provider.untouched": {
"terms": {
"field": "provider.untouched"
}
},
"prolong.untouched": {
"terms": {
"field": "prolong.untouched"
}
},
"duration.untouched": {
"terms": {
"field": "duration.untouched"
}
},
"mb.untouched": {
"histogram": {
"field": "mb.untouched",
"interval": 500,
"min_doc_count": 1
}
},
"sms.untouched": {
"histogram": {
"field": "sms.untouched",
"interval": 250,
"min_doc_count": 1
}
},
"minutes.untouched": {
"histogram": {
"field": "minutes.untouched",
"interval": 100,
"min_doc_count": 1
}
},
"price_monthly.untouched": {
"histogram": {
"field": "price_monthly.untouched",
"interval": 5,
"min_doc_count": 1
}
}
}
}