Elasticsearch SQL - How to query data only from yesterday

ezra · March 9, 2022, 12:39am

Hello everyone.

I am looking to query data from yesterday, excluding the data from today. I have figured out how to do this when inputting a specific date and subtracting 1 day. However, I need it to be from today's date, for example timestamp = NOW() - 1d/d. This is on an element in Kibana Canvas, using Elasticsearch SQL.

This is what I have so far, however I would need to update the query everyday to change the specific date.

SELECT COUNT(XXX.keyword) AS Count

FROM "XXX"

WHERE XXX.keyword='XXX'

AND timestamp = '2022-03-09||-1d/d'

timestamp = NOW() - INTERVAL 2 DAYS would not work because it includes data from TODAY and YESTERDAY, whereas I only want the data from yesterday.

jsanz · March 10, 2022, 3:38pm

I think this is what you need:

Getting the entries from metricbeat from yesterday using current day minus two and one day and truncated both to midnight.

GET _sql?
{
  "query": """
 SELECT COUNT(*)
   FROM "metricbeat-*"
  WHERE "@timestamp" 
BETWEEN DATETRUNC('day', (NOW() - INTERVAL 2 DAY)) 
    AND DATETRUNC('day', (NOW() - INTERVAL 1 DAY))
  """
}

system · April 7, 2022, 3:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.