ELK 5.5: Query with term and range filter

Hi,

I'm quite new to the beautiful world of elasticsearch and ran into a problem using the query language.

So I've installed a ELK 5.5 test environment including the WINLOGBEAT component, everthing is working fine.

Since the platform comes with a fancy query feature I wanted to query some of the events.

Use case
I want to query events with a specfic ID which occured in the last 15 minutes and display all relevant event entries.

This is my approach but it does not work

{
  "query": {
"filtered": {
  "query": {
    "term": {"event_id": "4624"}
  },
  "filter": {
    "range": {
      "timestamp" : {"gt" : "now-5min"}
    }
  }
}
  }
}

Result

{
  "error": {
    "root_cause": [
      {
        "type": "parsing_exception",
        "reason": "no [query] registered for [filtered]",
        "line": 3,
        "col": 17
      }
    ],
    "type": "parsing_exception",
    "reason": "no [query] registered for [filtered]",
    "line": 3,
    "col": 17
  },
  "status": 400
}

Does anyone have a recommendation how to slove issues.

Thank you & kind regards

PR

You are using the old filtered query which has been removed in ES 5.x
https://www.elastic.co/guide/en/elasticsearch/reference/2.4/query-dsl-filtered-query.html

The solution on that page of using the filter clause inside a bool query is
the correct way to do things now.

Hi Ivan,

thank you for your support.

This solves my problem:

GET winlogbeat-*/_search
{
  "from": 0,
  "size": 1000,
  "query": {
"bool": {
  "must": {
    "term": {
      "event_id": "<ID-Number>"
    }
  },
  "filter": {
    "range": {
      "@timestamp": {
        "from": "now-5m",
        "to": "now"
      }
    }
  }
}
  },
  "sort": [
{
  "@timestamp": {
    "order": "desc"
  }
}
  ]
}

Kind Regards

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.