Hi,
probably a classic and simple to answer, but as I found quite different answers to several questions about date math in Kibana I want to ask here if and how date math is supported in the current 5.0 version of kibana.
Basicly I want to do e.g range queries on a date field, something like @timestamp:[NOW/DAY TO NOW] or @timestamp[NOW-7DAY TO NOW]. I found some examples like this but they aint work for me. Is that possible in kibana at the moment and if so how?
Thanks,
Andrej
You could try to use the timepicker to do that. You can define relative time ranges. Let me know if this answers your question.
regards, Peter
Hi Peter,
thanks for your fast answer, but no, it doesnt solve my problem. I want to do it query wise and independent from timepicker. In a dashboard timepicker affects all visualizations, if I e.g have a metric that should display todays values this is not useful, because it will not be today but what timepicker selects. A query @timestamp[NOW/DAY TO NOW] on a pattern without events will always show only todays values, no matter what other visualizations do.
Regards,
Andrej
this seems to work well @timestamp:[now-1d TO now]
Trying this on a @timestamp field with mapping type date I am getting: Error: Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"parse_exception","reason":"could not read the current timestamp"}] ...
What mapping are you using for your field? Anything I have to enable in kibana or elasticsearch config?
"@timestamp": {
"type": "date"
},
default install of elasticsearch 5.0.1 and kibana 5.0.1 with makelogs data
Ok, a bit more stacktrace:
Error: Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"parse_exception","reason":"could not read the current timestamp"}],"type":"search_phase_execution_exception","reason":"all shards failed","phase":"query_fetch","grouped":true,"failed_shards":[{"shard":0,"index":"indexname","node":"nodeidhere","reason":{"type":"parse_exception","reason":"could not read the current timestamp","caused_by":{"type":"illegal_argument_exception","reason":"features that prevent cachability are disabled on this context"}}}],"caused_by":{"type":"parse_exception","reason":"could not read the current timestamp","caused_by":{"type":"illegal_argument_exception","reason":"features that prevent cachability are disabled on this context"}}},"status":400}
I am running 5.0.0. May be this is related to https://github.com/elastic/elasticsearch/issues/21457 ? I will try to run 5.0.1.
This is indeed a bug in version 5.0.0. Updating to 5.0.1 solved the problem and your query is working now. Thanks for confirmation, it kept me going on the problem 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.