Elasticsearch SQL - HAVING query seems to have broken

flxdan · June 2, 2020, 10:20am

For reporting purposes I created a SQL query to report when a winlogbeat agent hasn't sent any data within the last hour:

    POST _sql?format=txt
    {
      "query": """
      select agent.hostname, max("@timestamp") from "winlogbeat-*" group by agent.hostname HAVING (max("@timestamp") < NOW() - INTERVAL 1 HOUR)
      """
    }

This was definitely working in Elasticsearch 7.6.2, but it looks like since we upgraded to 7.7.0 (in Elastic Cloud) this doesn't seem to return any results any more - nor are any errors logged that I can find.

Pretty sure I should get some results from this query, as if I run the following:

    POST _sql?format=txt
    {
      "query": """
      select agent.hostname, max("@timestamp") from "winlogbeat-*" group by agent.hostname order by max("@timestamp")
      """
    }

I get results like:

    agent.hostname |   max("@timestamp")    
    ---------------+------------------------
    DESKTOP-x1|2020-03-19T17:30:14.112Z
    DESKTOP-x2|2020-04-25T09:19:22.479Z
    DESKTOP-x3|2020-05-11T23:11:00.538Z
    DESKTOP-x4|2020-05-14T16:03:10.669Z

Any ideas what could be happening here?

Andrei_Stefan · June 3, 2020, 6:11am

@flxdan thank you for raising this concern.
This is a bug. I've created this issue to track it.

system · July 1, 2020, 6:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.