Fetch Last 15 minute of data

Aniket_Pant · September 19, 2022, 12:43pm

Here is my query for fetching the result of today last 15 minutes

{
  "query": {
     "bool": {
    "filter": [
      {
        "bool": {
          "should": [
            {
              "match_phrase": {
                "ResponseCode": "005"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "008"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "081"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "091"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "096"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "900"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "009"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "0068"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "153"
              }
            },
            {
              "range":
              {
                "timestamp":
                {
                   "gte":"now-15m"
                }
              }
            }
          ],
          "minimum_should_match": 1
        }
      }
    ],
    "must_not": []
  }
  }
}

But i am getting older data of previous month.

leandrojmp · September 19, 2022, 1:05pm

Can you share an example of a document from previous month that is being returned by this query?

BenB196 · September 19, 2022, 1:05pm

You need to move your range filter to a new bool/should clause/filter. Currently you have it in the same filter as your ResponseCode, but then you also have "minimum_should_match": 1 set, so your query is really saying, match one of these ResponseCodes OR any document with the timestamp range.

Aniket_Pant · September 19, 2022, 5:32pm

@BenB196 , now i am getting zero result
Can you please tell me where i am making mistake

{
  "query": {
     "bool": {
    "filter": [
      {
        "bool": {
          "should": [
            {
              "match_phrase": {
                "ResponseCode": "005"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "008"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "081"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "091"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "096"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "900"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "009"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "0068"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "153"
              }
            }
          ],
          "minimum_should_match": 1
        }
      },
      {
        "bool": {
          "should":
          {
             "range":
              {
                "timestamp":
                {
                   
                   "gte":"now-15m"
                }
              }
          }
        }
      }
    ],
    "must_not": []
  }
}
}

Aniket_Pant · September 20, 2022, 6:56am

Thank you @leandrojmp and @BenB196 for your help i miss the @ in timestamp

{
  "query": {
     "bool": {
    "filter": [
      {
        "bool": {
          "should": [
            {
              "match_phrase": {
                "ResponseCode": "005"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "008"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "081"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "091"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "096"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "900"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "009"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "0068"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "153"
              }
            }
          ],
          "minimum_should_match": 1
        }
      },
      {
        "bool": {
          "should":{
          "range": {
            "@timestamp": {
              "gte": "now-15m"
            }
          }
          }
        }
      }
    ],
    "must_not": []
  }
}
}

system · October 18, 2022, 6:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch query time range issue Elasticsearch	51	5417	May 6, 2021
Creating Query that matches values using OR within a specific timeframe Elasticsearch	4	501	May 24, 2019
Create request for last 15 min Elasticsearch	10	22260	July 6, 2017
Filtering by Range Elasticsearch	5	6712	January 26, 2018
Query optimization! Elasticsearch	4	605	September 8, 2017

Fetch Last 15 minute of data

Related topics