Hi Elasticsearch Gurus,
I’ve recently spun up an Elasticsearch v7.4.0 Docker container. Within the container, I’ve been playing with the “elasticsearch-sql-cli” script and successfully submitting SQL-like queries against my ES index. Which is pretty great.
Here’s a follow-up problem. My index is really massive, with several million data records, and growing rapidly. I need to find a way to submit an SQL-like query that basically says, “Give me X data only for the last five minutes.” As luck would have it, my index includes a “timestamp” record:
{
"mapping": {
"properties": {
"@timestamp": {
"type": "date"
},…
Here’s a sample of what it looks like in a standard query:
Timestamp | SrcIP | DstIP |Protocol|Port| sum
------------------------+------------+------------+--------+----+-------
2019-10-09T20:02:27.770Z|10.10.10.15 |10.10.10.16 |6 |5201|15000.0
2019-10-09T20:02:27.771Z|10.10.10.15 |10.10.10.16 |6 |5201|51000.0
2019-10-09T20:02:27.772Z|10.10.10.15 |10.10.10.16 |6 |5201|19500.0
2019-10-09T20:02:27.785Z|10.10.10.15 |10.10.10.16 |6 |5201|69000.0
2019-10-09T20:02:27.787Z|10.10.10.15 |10.10.10.16 |6 |5201|10500.0
2019-10-09T20:02:27.788Z|10.10.10.15 |10.10.10.16 |6 |5201|10500.0
2019-10-09T20:02:27.789Z|10.10.10.15 |10.10.10.16 |6 |5201|24000.0
2019-10-09T20:02:27.790Z|10.10.10.15 |10.10.10.16 |6 |5201|54000.0
2019-10-09T20:02:27.791Z|10.10.10.15 |10.10.10.16 |6 |5201|55500.0
Okay, so how would you say “Give me records from the last five minutes?” Standard SQL would have you do that like this. But I’ve tried this in my elasticsearch-sql-cli script, and I’m missing something in the syntax. Here’s a few attempts:
sql> select \"@timestamp\", SrcIP, DstIP, Protocol, Port, sum(Total)
> from \"myindex2019.10.09\"
> where Port = 5201 AND
> to_date(\"@timestamp\", 'MM/DD/YYYY HH24:MI:SS') >= sysdate - 5/(24*60)
> group by \"@timestamp\", SrcIP, DstIP, Protocol, Port;
> Bad request [Found 2 problem(s)
line 4:7: Unknown function [to_date], did you mean any of [CURDATE, TODAY, LOCATE, TRUNCATE]?
line 4:57: Unknown column [sysdate]]
sql>
sql>
sql> select \"@timestamp\", SrcIP, DstIP, Protocol, Port, sum(Total)
> from \"myindex2019.10.09\"
> where Port = 5201 AND
> \"@timestamp\" >= CURDATE - 5/(24*60)
> group by \"@timestamp\", SrcIP, DstIP, Protocol, Port;
> Bad request [Found 1 problem(s)
line 4:23: Unknown column [CURDATE]]
sql>
sql>
sql> select \"@timestamp\", SrcIP, DstIP, Protocol, Port, sum(Total)
> from \"myindex2019.10.09\"
> where Port = 5201 AND
> \"@timestamp\" >= CURDATE() - 5/(24*60)
> group by \"@timestamp\", SrcIP, DstIP, Protocol, Port;
> Bad request [Found 1 problem(s)
line 4:23: first argument of [CURDATE() - 5/(24*60)] must be [numeric], found value [CURDATE()] type [date]]
sql>
sql>
Any advice on how to crack this syntax?
And… as a general question… Is there an online guide to the ES/SQL syntax? It will be pretty tedious if I have to post on the forums every time I have a general question like this. Thanks!