Query items by time stamp not working

Elastic Stack Elasticsearch
1

So I want to get all events since a certain time, for example since "2017-03-02T21:56:53.033Z".

I made a runtime_timestamp field that just copies the @timestamp field, because I am parsing this data into C# and @ symbols don't play nice in there.

Here is my Logstash filter for that, which DOES work. I know this for a fact.

 filter {
    mutate {
            add_field => ["runtime_timestamp", "%{@timestamp}"]

    }
}

Here is the what I have now, that does not work.

{
 "query": {
 "range": {
  "runtime_timestamp": 
    "2017-03-02T21:56:53.033Z"
}}},
"_source": {
"includes": [
  "runtime_timestamp",
  "id_orig_p",
  "id_orig_p",
  "id_orig_h",
  "conn_state",
  "id_resp_h",
  "id_resp_p",
  "service",
  "proto",
  "tags"
]
},
"sort": [
{
  "@timestamp": {
    "order": "desc"
  }
}
]
}

Now, I get the following error from this query.

 {
  "error" : {
  "root_cause" : [
  {
    "type" : "parsing_exception",
    "reason" : "[range] query does not support [runtime_timestamp]",
    "line" : 5,
    "col" : 9
  }
  ],
   "type" : "parsing_exception",
   "reason" : "[range] query does not support [runtime_timestamp]",
   "line" : 5,
   "col" : 9
  },
  "status" : 400
}

I tried this query also with timestamp in place of runtime_timestamp, and I still get the same error.

2

Your range query syntax is slightly off. You need to specify some kind of qualifier, like "gte" (greater than or equal to):

"range": {
  "runtime_timestamp": { 
    "gte" : "2017-03-02T21:56:53.033Z"
  }
}

Full syntax here: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-range-query.html

1 Like
3

That worked, thanks!

4

Great! Happy to help :slight_smile:

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.