I have an index with a lot of docs. I have intended to send a query via api, to obtain a count of documents that contain an exact phrase in a portion of the message in this index.

The document has a field call event, and I look for the text Server unresponsive in this field. For example, the document in the field event has the value:

...Action Removed" Reason="Server unresponsive...

And I query if the field event contains Server unresponsive from now to -15m

I have constructed this query:

{
  "query": {
    "bool": {
      "must": [
        {
          "range": {"@timestamp" : {"gt" : "now-15m"}}
        },
        {
          "term": { "event": "Server unresponsive"}
        }
      ]
    }
  }
}

I want the result for the last 15 minutes, but when I launch the query show me 0 results, but in Kibana, the equivalent search query, show me X hits at the same time.

Why this query does not match correctly this result?. I have used match options and the result is the same, 0 hits. If the query has with "query_string" the result shows me, all the hits in all my docs in the index, but I don't know how to limit the result to the last 15 minutes.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.