"query" that combines range and term in ElasticSearch plugin in Logstash input

Dolph_2709 · October 4, 2018, 2:13pm

Hello,

I need a help with "query" syntax in Elasticsearch plugin.
Currently my input looks like this (and it works OK):

input {
elasticsearch {
hosts => ["1x.1x.1xx.1xx:9200"]
index => "worklight"
scroll => "10m"
size => 4000
query => '{ "query": { "range": { "timestamp": {"gt":"now-10m/m", "lte" :"now" } } } }'
docinfo => true
schedule => "* * * * *"
}
}

I need to introduce an extra filtering in the query by the log type. Could you, please, help me with query syntax?
Is this right?

query => '{ "query": { "query_string": {"query": "type: MfpAppLogs"} AND "range": { "timestamp": {"gte":"now-365s", "lte" :"now-300s" } } } }'

or this?

query => '{ "query": { "query_string": {"query": "type: MfpAppLogs"}, "range": { "timestamp": {"gte":"now-365s", "lte" :"now-300s" } } } }'

Thank you!

Dolph_2709 · October 4, 2018, 7:55pm

I guess I found the answer, it was a tricky change:

query => '{ "query": { "bool": { "must": [ { "term": { "_type": "MfpAppLogs" }}, { "range": { "timestamp": {"gte":"now-365s", "lte" :"now-300s" } } }] } } }'

system · November 1, 2018, 7:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.