Data cannot be queried by querying the time part of the log

canli12138 · September 19, 2024, 10:19am

The data cannot be queried by querying the time part of the log. For example, the log content is XX:2024-08-22 17:53:05.947(35561|35863) XXXX:XXXXX, and the data cannot be queried by log:17:53:05.
// log:17:53:05

jessgarson · September 19, 2024, 8:10pm

Thanks for reaching out here, @canli12138. Can you provide some further context as to what result you are expecting and the steps that can be taken to reproduce the results you are explaining? Are you getting any error messages?

canli12138 · September 27, 2024, 3:34am

When I query "log:17:53:05", I hope it returns data containing 17:53:05, such as this data: "XX:2024-08-22 17:53:05.947(35561|35863 ) XXXX:XXXXX", but it returns empty

ashishtiwari1993 · September 27, 2024, 8:11am

Could you please explain how you indexing your logs -

If you're doing default indexing, Then it should be searchable -

POST test-1/_doc
{
  "log":"XX:2024-08-22 17:53:05.947(35561|35863) XXXX:XXXXX"
}

GET test-1/_search

GET test-1/_search
{
  "query": {
    "match": {
      "log": "17:53:05"
    }
  }
}

canli12138 · September 27, 2024, 10:03am

use match you will get some data like "XX:2024-08-22 17:50:05", because it cannot match exactly

ashishtiwari1993 · September 27, 2024, 10:50am

Yeah thats totally depend on how you are indexing. You need to apply appropriate analyzer or you can use wildcard.

canli12138 · September 29, 2024, 6:59am

I try this query to find the data I want

{
  "query": {
    "wildcard": {
      "log.keyword":"*17:53:05*"
    }
  }
}

ashishtiwari1993 · September 30, 2024, 6:15am

This is how your token is generated using standard analyzer -


GET /_analyze?pretty
{
  "analyzer" : "standard",
  "text" : "XX:2024-08-22 17:53:05.947(35561|35863) XXXX:XXXXX"
}

{
  "tokens": [
    {
      "token": "xx",
      "start_offset": 0,
      "end_offset": 2,
      "type": "<ALPHANUM>",
      "position": 0
    },
    {
      "token": "2024",
      "start_offset": 3,
      "end_offset": 7,
      "type": "<NUM>",
      "position": 1
    },
    {
      "token": "08",
      "start_offset": 8,
      "end_offset": 10,
      "type": "<NUM>",
      "position": 2
    },
    {
      "token": "22",
      "start_offset": 11,
      "end_offset": 13,
      "type": "<NUM>",
      "position": 3
    },
    {
      "token": "17",
      "start_offset": 14,
      "end_offset": 16,
      "type": "<NUM>",
      "position": 4
    },
    {
      "token": "53",
      "start_offset": 17,
      "end_offset": 19,
      "type": "<NUM>",
      "position": 5
    },
    {
      "token": "05.947",
      "start_offset": 20,
      "end_offset": 26,
      "type": "<NUM>",
      "position": 6
    },
    {
      "token": "35561",
      "start_offset": 27,
      "end_offset": 32,
      "type": "<NUM>",
      "position": 7
    },
    {
      "token": "35863",
      "start_offset": 33,
      "end_offset": 38,
      "type": "<NUM>",
      "position": 8
    },
    {
      "token": "xxxx:xxxxx",
      "start_offset": 40,
      "end_offset": 50,
      "type": "<ALPHANUM>",
      "position": 9
    }
  ]
}

You need add create custom analyzer as per your requirement

OR

Just change the type of log to keyword and then perform the wildcard query.

system · October 28, 2024, 6:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Simple Query to search within log text (not keyword) Elasticsearch eql-elastic-query-language	4	1460	April 3, 2023
Query returns empty result when filtering on labels and timestamp Elasticsearch	4	429	September 1, 2022
Elastic Search time query Elasticsearch	2	1011	July 21, 2020
Feedback needed on my query Elasticsearch	3	554	August 18, 2017
Need help with search query Elasticsearch	5	451	March 9, 2023

Data cannot be queried by querying the time part of the log

Related Topics