How to get results with a timestamp greater than a certain date

Hello guys, I need to set a Watcher to look for results of a certain query. I need the results from the last 5 minutes (generally, it returns all the results from the index if I don't specify a filter). This is the Watcher code:

{
  "trigger" : {
    "schedule" : {
      "interval" : "5m"
    }
  },
  "input" : {
    "search" : {
      "request" : {
        "indices" : [ "<logstash-{now/d}>"],
        "types" : [ "vectra" ],
        "body" : {
          "sort" : {
            "@timestamp" : {"order" : "desc"}
          },
          "query" : { 
            "bool" : {
              "must" : [
                { "match" : { "leverage_type" : "Sweeper" }}
              ],
              "filter" : [
                { "range" : { "@timestamp" : { "gte" : "<{now-5m}>"}}}
              ]
            } 
          }
        }
      }
    }
  },
  "condition" : {
    "compare" : {
      "ctx.payload.hits.total" : {
        "gt" : 0
      }
    }
  },
  "actions" : {
    "notify-slack" : {
      "throttle_period" : "5m",
      "slack" : {
        "account" : "testing",
        "message" : {
          "to" : [ "@tester" ],
          "text" : "{{ctx.payload.hits.total}} Vectra entries found"
        }
      }
    }
  }
}

And I'm receiving the following error:
SearchPhaseExecutionException[all shards failed]; nested: ElasticsearchParseException[failed to parse date field [<{now-5m}>] with format [strict_date_optional_time||epoch_millis]]; nested: IllegalArgumentException[Parse failure at index [0] of [<{now-5m}>]];

How can I do a filter for the results that are newer than a certain date and time?

Hey,

lets take a look at your query

You used the same syntax as for date index math here (which is admittantly confusing). Can you try just "now-5m" here instead?

--Alex

Yeah, this was completely the issue. I got confused with the usage of <{}>.

Thanks for the support

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.