Hi ,
How can I create a query for results from the last 3 days ?
I saw that I can create a filter with query like this:
@timestamp = [now-72H to now]
But it's not working .
How can I create this term ?
BR,
Chen
chenbe2204,
There are several ways to do this. I am not sure which one you really need, so I will present them all. The first and easiest way would be using the TimePicker.
Another way would be to create a date range aggregation in the visualize interface.
Here I am comparing data from the last 3 days with data from the last 30 days. You can add more ranges by clicking on the Add Range button at the bottom of the aggregation panel.
Finally, another way would be to paste in json into the search bar like so:
Let me know if any of these help.
Hi ,
I'm using Version 4.0.2
Under X-Axis the only options I have for Sub Aggregation are:
Date Histogram , Histogram , Range , Terms , Filters and Significant Terms.
If I choose Range , I have the option to choose duration and executionid in the field attribute.
Is it because of the Kibana version ?
What options do I have except the one you suggested ?
BR,
Chen
Hi,
I was using the latest stable version 4.4.0. You can always fall back to the time picker. But if you need a date range agg, you will have to upgrade your Kibana version.
Thanks 
@stormpython No the first approach is not working . I am too abacked by the fact that why its not working . Any help ?
Hi,
what most of the time works for me, in a Dashboard context, is setting an additional query-condition.
For example, If I only want the data od 'today' i use the clause 'AND @timestamp:[now/d TO now]'
which rounds now/d down to the current day as beginning of interval, and 'now' being current time, as the end of the interval.
But you should always make sure to set the timepicker interval to be greater than your timestamp interval, because right now the timepicker interval 'overrules' the interval setting in the AND clause.
One more thing, You need to make sure the keywords AND and TO being uppercase 
Hope to help,
Thorsten
@Thorsten_Nickel Where are you using these conditions ? See what want is that the user should not write anything . Things should be clicks away .
@abinay : First step was to create a saved search, which included the @timstamp interval in the query statement. From there I created the visualization using this saves search and afterwards, including that into any dashboard is easy as every.
Key is to have your statement saved as search and used in the visualization, therefore any user who can see that visualization does not need to have anythin written down .....
Best wishes,
Thorsten
1 Like