Fetch Last 15 minute of data

Aniket_Pant · September 19, 2022, 12:43pm

Here is my query for fetching the result of today last 15 minutes

{
  "query": {
     "bool": {
    "filter": [
      {
        "bool": {
          "should": [
            {
              "match_phrase": {
                "ResponseCode": "005"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "008"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "081"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "091"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "096"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "900"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "009"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "0068"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "153"
              }
            },
            {
              "range":
              {
                "timestamp":
                {
                   "gte":"now-15m"
                }
              }
            }
          ],
          "minimum_should_match": 1
        }
      }
    ],
    "must_not": []
  }
  }
}

But i am getting older data of previous month.

leandrojmp · September 19, 2022, 1:05pm

Can you share an example of a document from previous month that is being returned by this query?

BenB196 · September 19, 2022, 1:05pm

You need to move your range filter to a new bool/should clause/filter. Currently you have it in the same filter as your ResponseCode, but then you also have "minimum_should_match": 1 set, so your query is really saying, match one of these ResponseCodes OR any document with the timestamp range.

Aniket_Pant · September 19, 2022, 5:32pm

@BenB196 , now i am getting zero result
Can you please tell me where i am making mistake

{
  "query": {
     "bool": {
    "filter": [
      {
        "bool": {
          "should": [
            {
              "match_phrase": {
                "ResponseCode": "005"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "008"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "081"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "091"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "096"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "900"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "009"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "0068"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "153"
              }
            }
          ],
          "minimum_should_match": 1
        }
      },
      {
        "bool": {
          "should":
          {
             "range":
              {
                "timestamp":
                {
                   
                   "gte":"now-15m"
                }
              }
          }
        }
      }
    ],
    "must_not": []
  }
}
}

Aniket_Pant · September 20, 2022, 6:56am

Thank you @leandrojmp and @BenB196 for your help i miss the @ in timestamp

{
  "query": {
     "bool": {
    "filter": [
      {
        "bool": {
          "should": [
            {
              "match_phrase": {
                "ResponseCode": "005"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "008"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "081"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "091"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "096"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "900"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "009"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "0068"
              }
            },
            {
              "match_phrase": {
                "ResponseCode": "153"
              }
            }
          ],
          "minimum_should_match": 1
        }
      },
      {
        "bool": {
          "should":{
          "range": {
            "@timestamp": {
              "gte": "now-15m"
            }
          }
          }
        }
      }
    ],
    "must_not": []
  }
}
}

system · October 18, 2022, 6:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.