I'm trying to write an extraction query to get every timestamp for all items only if the item has timestamps in each of the last three days. For context, what I'm doing is tracking tests - if they've executed in each of the last three days, I want to know how long they've been executing for.
The filter.range.@timestamp works great - it gives me all the data I want, for the last year. Good start.
The must.range.@timestamp is my attempt to filter down to just items that have entries for the last three days. It works, kind of - while it gives me the correct data set, it wipes out the older entries for that item.
For examples, I want this to match:
{
"key_as_string": "15 Aug"
},
{
"key_as_string": "16 Aug"
},
{
"key_as_string": "17 Aug"
},
{
"key_as_string": "18 Aug"
}
and return that exact string. Instead, I'm getting:
{
"key_as_string": "16 Aug"
},
{
"key_as_string": "17 Aug"
},
{
"key_as_string": "18 Aug"
}
I'm getting the correct matches, but it's cutting off some of the data I want. I'm not opposed to filtering this in another way, if there's an easier method. I'm using this to trigger an alert, so I could do this in painless instead. But I feel like I'm closer here.
{
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "now-1y/y",
"to": "now/d",
"include_lower": true,
"include_upper": false,
"boost": 1
}
}
},
// some terms
],
"must": [
{
"range": {
"@timestamp": {
"from": "now-3d/d",
"to": "now/d",
"include_lower": true,
"include_upper": false,
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"aggregations": {
// some aggregations
}
}