Finding nearest timestamps

joaociocca · October 25, 2019, 3:24am

Is there a way to find a nearest timestamp? Let's say I'm looking for the nearest registry (both before and after) 2019-10-09T19:02:22.000Z

At first I was tackling this problem like I had to find this exact timestamp...

For context, I'm searching VPN logs to find out who was connected (login/logout logs) at one point in time. Except it's a lot of different IPs and different times, but I got to dig through how DSL worked and even managed to make a huge should/must nested DSL to nail them all... when I realized that what I needed was something else.

For sharing sake

{
  "bool": {
  "should": [
 { "bool": { "must": [{ "range": { "@timestamp": { "gte": "<start_event_date>T<start_event_time>Z", "lt": "<end_event_date>T<end_event_time>Z" } }}, { "match": { "FramedIPAddress": { "query": "<ip>" } } } ] } },
 { "bool": { "must": [{ "range": { "@timestamp": { "gte": "<start_event_date>T<start_event_time>Z", "lt": "<end_event_date>T<end_event_time>Z" } }}, { "match": { "FramedIPAddress": { "query": "<ip>" } } } ] } },
 { "bool": { "must": [{ "range": { "@timestamp": { "gte": "<start_event_date>T<start_event_time>Z", "lt": "<end_event_date>T<end_event_time>Z" } }}, { "match": { "FramedIPAddress": { "query": "<ip>" } } } ] } },
 { "bool": { "must": [{ "range": { "@timestamp": { "gte": "<start_event_date>T<start_event_time>Z", "lt": "<end_event_date>T<end_event_time>Z" } }}, { "match": { "FramedIPAddress": { "query": "<ip>" } } } ] } },
 { "bool": { "must": [{ "range": { "@timestamp": { "gte": "<start_event_date>T<start_event_time>Z", "lt": "<end_event_date>T<end_event_time>Z" } }}, { "match": { "FramedIPAddress": { "query": "<ip>" } } } ] } },
 { "bool": { "must": [{ "range": { "@timestamp": { "gte": "<start_event_date>T<start_event_time>Z", "lt": "<end_event_date>T<end_event_time>Z" } }}, { "match": { "FramedIPAddress": { "query": "<ip>" } } } ] } },
 { "bool": { "must": [{ "range": { "@timestamp": { "gte": "<start_event_date>T<start_event_time>Z", "lt": "<end_event_date>T<end_event_time>Z" } }}, { "match": { "FramedIPAddress": { "query": "<ip>" } } } ] } },
 { "bool": { "must": [{ "range": { "@timestamp": { "gte": "<start_event_date>T<start_event_time>Z", "lt": "<end_event_date>T<end_event_time>Z" } }}, { "match": { "FramedIPAddress": { "query": "<ip>" } } } ] } },
 { "bool": { "must": [{ "range": { "@timestamp": { "gte": "<start_event_date>T<start_event_time>Z", "lt": "<end_event_date>T<end_event_time>Z" } }}, { "match": { "FramedIPAddress": { "query": "<ip>" } } } ] } },
 { "bool": { "must": [{ "range": { "@timestamp": { "gte": "<start_event_date>T<start_event_time>Z", "lt": "<end_event_date>T<end_event_time>Z" } }}, { "match": { "FramedIPAddress": { "query": "<ip>" } } } ] } },
 { "bool": { "must": [{ "range": { "@timestamp": { "gte": "<start_event_date>T<start_event_time>Z", "lt": "<end_event_date>T<end_event_time>Z" } }}, { "match": { "FramedIPAddress": { "query": "<ip>" } } } ] } },
 { "bool": { "must": [{ "range": { "@timestamp": { "gte": "<start_event_date>T<start_event_time>Z", "lt": "<end_event_date>T<end_event_time>Z" } }}, { "match": { "FramedIPAddress": { "query": "<ip>" } } } ] } },
 { "bool": { "must": [{ "range": { "@timestamp": { "gte": "<start_event_date>T<start_event_time>Z", "lt": "<end_event_date>T<end_event_time>Z" } }}, { "match": { "FramedIPAddress": { "query": "<ip>" } } } ] } },
 { "bool": { "must": [{ "range": { "@timestamp": { "gte": "<start_event_date>T<start_event_time>Z", "lt": "<end_event_date>T<end_event_time>Z" } }}, { "match": { "FramedIPAddress": { "query": "<ip>" } } } ] } },
 { "bool": { "must": [{ "range": { "@timestamp": { "gte": "<start_event_date>T<start_event_time>Z", "lt": "<end_event_date>T<end_event_time>Z" } }}, { "match": { "FramedIPAddress": { "query": "<ip>" } } } ] } },
 { "bool": { "must": [{ "range": { "@timestamp": { "gte": "<start_event_date>T<start_event_time>Z", "lt": "<end_event_date>T<end_event_time>Z" } }}, { "match": { "FramedIPAddress": { "query": "<ip>" } } } ] } },
 { "bool": { "must": [{ "range": { "@timestamp": { "gte": "<start_event_date>T<start_event_time>Z", "lt": "<end_event_date>T<end_event_time>Z" } }}, { "match": { "FramedIPAddress": { "query": "<ip>" } } } ] } },
 { "bool": { "must": [{ "range": { "@timestamp": { "gte": "<start_event_date>T<start_event_time>Z", "lt": "<end_event_date>T<end_event_time>Z" } }}, { "match": { "FramedIPAddress": { "query": "<ip>" } } } ] } }
  ]
  }
}

system · November 22, 2019, 3:24am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.