I'm working on a visualization and have all the work done, I'm just having troubles making it automatically return only data from a specific time window.
So if I search Kibana for: timestamp:" 04:*"
I get every log entry that happened between 4-5AM, any day. If I click the time option (top right of kibana) and select "Today", I get only entries from today between 4am to 5am. This is what I want to automate.
My main goal is to avoid forcing the user to manually select "Today" every time they try to use this visualization.
Depending on the visualization you are creating, you might be able to use a date histogram aggregation. Otherwise you could look into creating a scripted field.
Thank you both for your responses, I'll see what I can figure out today, using your suggestions. I'll report back with any successes (And thanks @bhavyarm for bringing this to @cheiligers's attention!)
Doctoring things a bit, I would hope this would work while bypassing the need to calculate time zone difference: timestamp:" 04:*" AND timestamp>="now-1d/d+*h"
Alas, I seem to be wrong as it comes up empty. I wonder, could it be because I'm forcing it to query "timestamp" string as opposed to the system created "@timestamp" value? In either case I come up empty (As well as with your original snippet, but I chalked that up to me thinking it was a time zone thing).
I'm not sure the datemath supports any kind of wildcard- now-1d/d+4h would work but I don't think the one you just posted will. Unfortunately datemath has no documentation that I can find, but our JS implementation only supports +- and / as operations, where / is a "beginning of interval" operation
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
