Query range not working?

agonzalez · April 4, 2017, 9:22am

I am doing this query but it is returning documents older:

get /ueb-metrics-*/_search
{
  "query": {
    "range": {
      "timestamp": {
        "gte": "now-1d"
      }
    }
  }
}

returns docs from months ago like:

hits": [
      {
        "_index": "ueb-metrics-2017.01",
        "_type": "object",
        "_id": "d6b3ec11-ecd9-47e2-842a-99574ff8b3a0_storage_2017.01.18_14.00",
        "_score": 1,
        "_source": {
          "type": "storage",
          "asset_tag": "d6b3ec11-ecd9-47e2-842a-99574ff8b3a0",
          "timestamp": "2017-01-18T14:00:01.694245+01:00",
          "storage": {
            "name": "Internal",
            "mb_free": 135978,
            "mb_size": 153521,
            "mb_used": 17543,
            "mb_to_purge": 3166,
            "percent_used": "11.43%",
            "average_write_speed": "N/A",
            "dedup": "N/A"
          }
        }

dadoonet · April 4, 2017, 9:39am

Depending on your client may be try with POST instead of GET

What is the mapping?

agonzalez · April 4, 2017, 11:54am

so confusing. using POST it works, i am using kibana dev tools to run the query

If i use GET in another index it with some query it works, but in this index i have to use POST.

dadoonet · April 4, 2017, 12:44pm

If you are using Kibana console change get to GET and look if it fixes your issue.

agonzalez · April 4, 2017, 10:40pm

I was using GET already

dadoonet · April 4, 2017, 10:52pm

Make sure there is no empty line between the GET xxx line and the body.

What version are you using?

agonzalez · April 4, 2017, 10:54pm

No empty line. I am using 5.2.0

GET /ueb-appliance*/_search
{
  "query": {
    "range": {
      "timestamp": {
        "gte": "now-1d"
      }
    }
  }
}

dadoonet · April 4, 2017, 11:11pm

Can't reproduce it. Weird

system · May 2, 2017, 11:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.