Large numbers in KQL is difficult

bodo.te · September 25, 2020, 8:59am

Hi ,
I want to query "event.duration" with KQL.
Problem is: event.duration is in nano sec, but since I am querying "Mysql Slow Queries" im interested e.g. is a query like this :

event.duration > 180000000000

which would give me als mysql slow query of more then 3 minutes length.
So the scale I am dealing with is seconds or minutes, but KQL forces me to write nanoseconds , which is very impractical.
Even when I change the the number format in the Index Pattern, Kibanas Discover will SHOW the event.duration in seconds , but will still interpret KQL QUERIES in nano sec. It does not even allow me to write at least

event.duration > '180,000,000,000' #does not work

Is there any way to make querying easier ? (Google didn't find help)

Bodo

matw · September 29, 2020, 6:32am

Hi

So you're having a long typed ES field, and you're formatting it as duration in the index pattern, right? There is currently no way to make it easier, however this sound like a good enhancement, so you could start an feature request here: https://github.com/elastic/kibana/issues/new?template=Feature_request.md

Many thx and best,
Matthias

system · October 27, 2020, 6:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
IIS Event.Duration Doesn't seem Queryable? Kibana	5	675	May 23, 2020
Kibana KQL issue, Greater than does not work for event.duration field Kibana	4	1165	September 30, 2021
Event.duration bug Logstash	5	433	November 15, 2021
Duration field formatter hh:mm:ss Kibana kibana-plugin-development	3	1787	April 23, 2021
Request for new output format on time duration field Kibana	3	576	January 13, 2021

Large numbers in KQL is difficult

Related topics