Input search query not fetching custom index details

alerting

(GAUTAM SUDDAPALLI) #1

Hi,
I am inserting a list of IDs into my custom index, when the watch executes every time who's result is a possible list of cluster IDs, I want to check if any of these IDs are present in the custom index in the last 24h. The insert is working as expected, when I try fetching the custom index details to check if it's present or not I get no hits back. I have inserted a timestamp value also into the payload since it's not present by default. What am I doing wrong here?

Here is how I am trying to fetch the last 24 hours data of the custom index

            {
                "second":{
                    "search":{
                        "request":{
                            "indices":"cluster-health-*",
                            "types":"cluster_id",
                            "body":{
                                "query": {
                                    "bool": {
                                      "filter": {
                                        "bool": {
                                          "must": [
                                            {
                                              "range": {
                                                "@timestamp": {
                                                  "gte": "now-24h"
                                                }
                                              }
                                            },
                                            {
                                              "term": {
                                                "type" : "cluster_id"
                                              }
                                            }
                                          ]
                                        }
                                      }
                                    }
                                }
                            }
                        }
                    }
                }
            }

Here is how my index looks like when I query it via the API

"hits": {
    "total": 9,
    "max_score": 1,
    "hits": [
      {
        "_index": "cluster-health-2018.10.29",
        "_type": "cluster_id",
        "_id": "-jUnvmYBSMovSiDEbIiW",
        "_score": 1,
        "_source": {
          "_value": [
            {
              "cluster_id": "abdsbdkd-ewtt",
              "@timestamp": "2018-10-29T04:49:06.234Z"
            }
          ]
        }
      },
      {
        "_index": "cluster-health-2018.10.29",
        "_type": "cluster_id",
        "_id": "cBwzvmYBABxtzd1Q1UW3",
        "_score": 1,
        "_source": {
          "_value": [
            {
              "cluster_id": "abdsbdkd-ewtt",
              "@timestamp": "2018-10-29T05:02:40.050Z"
            }
          ]
        }
      },

(Alexander Reelsen) #2

I am faily confident that your queries are not the same. The below query does not match any document in your sample result set, because there is no field named type, only one named cluster_id. You may want to refer to _type here.

--Alex


(GAUTAM SUDDAPALLI) #3

Thanks @spinscale
It works when I use _type and get rid of the timestamp filter. I want to be able to query for a certain amount of time, can't we query for time range if it's inside the _source _value field like in my example above?

"bool": {
                                              "must": [
                                                {
                                                  "range": {
                                                    "@timestamp": {
                                                      "gte": "now-24h"
                                                    }
                                                  }
                                                },
                                                {
                                                  "term": {
                                                    "_type" : "cluster_id"
                                                  }
                                                }
                                              ]
                                            }

(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.