Date Maths in Kibana Query Language

Marcos_Ivan_Robles_H · October 7, 2023, 12:07am

I am trying to use date math in my query without success.

When I paste a KQL query on the web explorer's address bar I got a successful result with an example like this:

base url + time:(from:'2023-10-06T20:44:13.558Z',to:'2023-10-06T20:44:13.558Z')) + more parameters

but I want to subtract 1 Hour in the from parameter so I tried KQL queries like the following without success:

base url + time:(from:'2023-10-06T20:44:13.558\|\|-1H',to:'2023-10-06T20:44:13.558Z')) + more parameters
base url + time:(from:'2023-10-06T20:44:13.558||-1H',to:'2023-10-06T20:44:13.558Z')) + more parameters
base url + time:(from:'2023-10-06T20:44:13.558Z%5C%7C%5C%7C-1H',to:'2023-10-06T20:44:13.558Z')) + more parameters

I also tried a DSL Query like this succesfully:

"query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "bool": {
            "should": [
              {
                "term": {
                  "level.keyword": "Error"
                }
              }
            ],
            "minimum_should_match": 1
          }
        },
        {
          "range": {
            "@timestamp": {
              "format": "strict_date_optional_time",
              "gte": "2023-10-06T20:44:13.558Z||-1H",
              "lte": "2023-10-06T20:44:13.558Z"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  },

but I need the KQL not the DSL query.

Note: The goal for all this is to be able to send a email via the body of elastic alerts/rules which points to the specific errors the rule found .

stephenb · October 7, 2023, 1:56am

I think the perhaps proper syntax is

'2023-10-06T20:44:13.558||+1h/h'

I am not sure you can do what you want I would need to test.

stephenb · October 7, 2023, 2:25am

The Correct KQL is this
@timestamp > "2023-10-06T01:12:35.144Z||-1h/h"

And from what I see you can not use that syntax in the from to... you will need to add it to the extra kql portion of the URL

https://localhost:9200/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:60000),time:(from:now-24h%2Fh,to:now))&_a=(columns:!(),filters:!(),index:'logs-*',interval:auto,query:(language:kuery,query:'@timestamp%20%3E%20%222023-10-06T01:12:35.144Z%7C%7C-1h%2Fh%22'),sort:!(!('@timestamp',desc)))

Its this part believe

query:(language:kuery,query:'@timestamp%20%3E%20%222023-10-06T01:12:35.144Z%7C%7C-1h%2Fh%22')

That is the encoded version of the KQL at the top, pretty sure if you need to encoded

I tried without encoded it seemed to work too.

https://localhost:9200/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:60000),time:(from:now-24h%2Fh,to:now))&_a=(columns:!(),filters:!(),index:'logs-*',interval:auto,query:(language:kuery,query:'@timestamp > "2023-10-06T01:12:35.144Z||-1h/h"'),sort:!(!('@timestamp',desc)))

system · November 4, 2023, 2:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.