Fetch Last 15 minute of data

Aniket_Pant · September 19, 2022, 12:43pm

Here is my query for fetching the result of today last 15 minutes

{
  "query": {
     "bool": {
    "filter": [
      {
        "bool": {
          "should": [
            {
              "match_phrase": {
                "ResponseCode": "005"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "008"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "081"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "091"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "096"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "900"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "009"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "0068"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "153"
              }
            },
            {
              "range":
              {
                "timestamp":
                {
                   "gte":"now-15m"
                }
              }
            }
          ],
          "minimum_should_match": 1
        }
      }
    ],
    "must_not": []
  }
  }
}

But i am getting older data of previous month.

leandrojmp · September 19, 2022, 1:05pm

Can you share an example of a document from previous month that is being returned by this query?

BenB196 · September 19, 2022, 1:05pm

You need to move your range filter to a new bool/should clause/filter. Currently you have it in the same filter as your ResponseCode, but then you also have "minimum_should_match": 1 set, so your query is really saying, match one of these ResponseCodes OR any document with the timestamp range.

Aniket_Pant · September 19, 2022, 5:32pm

@BenB196 , now i am getting zero result
Can you please tell me where i am making mistake

{
  "query": {
     "bool": {
    "filter": [
      {
        "bool": {
          "should": [
            {
              "match_phrase": {
                "ResponseCode": "005"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "008"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "081"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "091"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "096"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "900"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "009"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "0068"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "153"
              }
            }
          ],
          "minimum_should_match": 1
        }
      },
      {
        "bool": {
          "should":
          {
             "range":
              {
                "timestamp":
                {
                   
                   "gte":"now-15m"
                }
              }
          }
        }
      }
    ],
    "must_not": []
  }
}
}

Aniket_Pant · September 20, 2022, 6:56am

Thank you @leandrojmp and @BenB196 for your help i miss the @ in timestamp

{
  "query": {
     "bool": {
    "filter": [
      {
        "bool": {
          "should": [
            {
              "match_phrase": {
                "ResponseCode": "005"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "008"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "081"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "091"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "096"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "900"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "009"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "0068"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "153"
              }
            }
          ],
          "minimum_should_match": 1
        }
      },
      {
        "bool": {
          "should":{
          "range": {
            "@timestamp": {
              "gte": "now-15m"
            }
          }
          }
        }
      }
    ],
    "must_not": []
  }
}
}

system · October 18, 2022, 6:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Create request for last 15 min Elasticsearch	10	22251	July 6, 2017
Query last one hour records Elasticsearch	9	29154	July 5, 2017
Range filter in should match query Elasticsearch	4	2974	September 2, 2022
Subtracting time in elasticsearch query Elasticsearch	3	4813	December 28, 2016
Full-text queries with date filter Kibana eql-elastic-query-language	4	277	November 1, 2023

Fetch Last 15 minute of data

Related Topics