Elasticsearch - query with 2 conditions

Rohlik · June 23, 2020, 2:07pm

Hi there,
I want get result from Elasticsearch of specific fields (and their values) which match 2 criteria - date and string match. But I something doing wrong, because I receiving this error:

[match] malformed query, expected [END_OBJECT] but found [FIELD_NAME]
My query:

    GET monitoring/_search
        {
          "_source": [
            "AmountCurr",
            "AmountRaw"
          ],
          "query": {
            "bool": {
              "must": [
                {
                  "match": {
                    "LogType": "OK"
                  },
                  "range": {
                    "@timestamp": {
                      "gt": "now-1d/d",
                      "lt": "now/d"
                    }
                  }
                }
              ]
            }
          }
        }

What I did wrong?
PS: I took inspiration from elasticsearch - How to have Range and Match query in one elastic search query using python? - Stack Overflow

Thank you.

dadoonet · June 23, 2020, 2:53pm

Did not test it but I guess this should work:

    GET monitoring/_search
    {
      "_source": [
        "AmountCurr",
        "AmountRaw"
      ],
      "query": {
        "bool": {
          "must": [
            {
              "match": {
                "LogType": "OK"
              }},{
              "range": {
                "@timestamp": {
                  "gt": "now-1d/d",
                  "lt": "now/d"
                }
              }
            }
          ]
        }
      }
    }

Rohlik · June 24, 2020, 2:46pm

Thank you @dadoonet. Now I can run query without error, but it seems that range filter is wrong because I received 0 hints. But I am absolutely sure that data in Elasticsearch exists.

When I change range part to this, then it is working:

"range": {
            "@timestamp": {
              "gt": "now-15m"
            }
          }
        }

My timestamp field in document looks like:
"@timestamp": "2020-06-24T14:45:07.004Z"

Where is problem?

Rohlik · June 26, 2020, 1:15pm

I finally found my problem.
I must replace gt with gte in my query.
Thank you for your time.

system · July 24, 2020, 1:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.