Kibana - How to query where time is greater than 5 PM

I'm currently filtering for a specific date range...let's say date:[2016-04-01T00:00:00 TO 2016-05-01T00:00:00]. How do I query for records within this range where the time is greater than 5 PM?


Do you mean you want records for all of those dates, but where the time portion of the date is greater than 5PM?

If so, you probably would only be able to do this by having different fields for date and time. Then your query would look like:

date:[2016-04-01 TO 2016-05-01] AND time:[1700 TO *]

If you're unable to add a new field, you could try adding a filter that contains an inline script, but that's pretty advanced, and inline scripts always come with some performance cost because of extra memory usage.

Just create some filter and then edit the JSON (click the icon that looks like a pencil editing a paper) for the filter to include the inline script. Something like this would work:

  "script": {
    "script": {
      "inline": "boolean gte(Supplier s, def v) {return s.get() >= v} gte(() -> { LocalDateTime.ofInstant(Instant.ofEpochMilli(doc['@timestamp'].value), ZoneId.of('UTC-07:00')).getHour() }, params.gte)",
      "params": {
        "gte": 17
      "lang": "painless"

In the ZoneId.of('UTC-07:00') part, you want to put your UTC offset, because internally, Elasticsearch stores dates in epoch milliseconds in UTC. In my case, I'm in US Mountain time, so I used UTC-07:00. In the params.gte section, enter 17 which is 5pm in 24-hour format.

Here's a screenshot of a pinned filter I have showing on the Discover page that has this script (my script looks for greater than 4pm):

You can see when I enable/disable the filter in Discover, the records update to switch between showing all the documents of my query, and showing only the ones from after 4pm:

Hope that helps,

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.