Need help with query for heartbeat

Hello,

I have the following query with matches all results with heartbeat field "up"=false.

GET heartbeat-2018.01.17/_search
{
  "query": {
    "match": {
      "up": {
        "query": false
      }
    }
  }
}

Can you help me filter the results to show only matches not older than say 15 minutes from now.
I can't seem to combine the match with range filter

Here's an example structure of the beat:

{
    "_index": "heartbeat-2018.01.17",
    "_type": "doc",
    "_id": "AWEDb-F0ffEhnz27e7Lf",
    "_score": 3.648773,
    "_source": {
      "@timestamp": "2018-01-17T09:25:17.936Z",
      "beat": {
        "hostname": "#######",
        "name": "#######",
        "version": "5.6.0"
      },
      "duration": {
        "us": 997911
      },
      "error": {
        "message": "Get http://#####: dial tcp#####: connectex: No connection could be made because the target machine actively refused it.",
        "type": "io"
      },
      "host": "#####",
      "ip": "#####",
      "monitor": "#####",
      "port": 3000,
      "resolve_rtt": {
        "us": 986
      },
      "scheme": "http",
      "tcp_connect_rtt": {
        "us": 996924
      },
      "type": "http",
      "up": false,
      "url": "#####"
    }
  }

Just modify your query like this to include a range query on the @timestamp field:

GET heartbeat-2018.01.17/_search
{
  "query": {
    "bool": {
      "filter": [
        {
          "match": {
            "up": {
              "query": false
            }
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "now-15m"
            }
          }
        }
      ]
    }
  }
}

@val, you are legend!

I' ve been struggling with this for a whole day.

Thank you so much!

Glad it helped

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.