Hello everyone,
I'd like to tell you about my problem. I have data coming up every day with logstash on my kibana, this data comes up either "ok" or "other" in a "status" field with the @timestamp of the day. I'd like to sort the "name" field to display only the rows that haven't had a "status = OK" for more than 3 days.
I've tried this little line of code "@timestamp <= now-3d" added to a sort on the maximum of @timestamp for which "status = others" but this has the effect of returning the lines 3 days before today without taking into account that it's only those containing "status = others" for 3 days that I'm interested in. Among other things, a sort that verifies that there has been no "status = ok" for 3 days from now would work just as well.
i think best way to achieve this is to just select the correct time range in time picker.
but lets look into your query:L @timestamp <= now-3d means that timestamp must be smaller or equal to 3 days ago. what you actually want to tell it that timestamp needs to be larger than 3 days ago: @timestamp >= now-3d
thank you for your reply and I see what you mean but in reality the field I'm most interested in is not the timestamp but the status over the last 3 days to check if this "account" is problematic because it's been "down" for more than 3 days.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.