Query to find if a field exists in last 7 hours

ankitdevnalkar · August 11, 2021, 12:16pm

I am trying to find documents containing opsgenieAction:create in the last 7 hours. I constructed the following query but somehow the result is not as expected.

can someone help to find what is wrong here?

Query :

GET my-index*/_search
{
  "query": {
    "bool": {
      "filter": [
        {
          "range": {
            "date": {
              "gte": "now-7h",
              "lt" : "now"
            }
          }
        }
      ],
      "should": [
        {
          "query_string": { "fields": [
              "opsgenieAction"
            ],
              "query": "opsgenieAction:create"
          }
        }
      ]
    }
  }
}

Response :

response: 
{
  "took" : 658,
  "timed_out" : false,
  "_shards" : {
    "total" : 276,
    "successful" : 276,
    "skipped" : 275,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 0,
      "relation" : "eq"
    },
    "max_score" : null,
    "hits" : [ ]
  }
}

Mark_Harwood · August 11, 2021, 1:03pm

You made the opsgenieAction:create clause optional by putting it in the should section.
Place it in the filters section along with the other mandatory clause.

ankitdevnalkar · August 11, 2021, 1:12pm

@Mark_Harwood thanks for replying.

do you mean like this ?

GET my-index*/_search
{
  "query": {
    "bool": {
      "filter": [
        {
          "range": {
            "date": {
              "gte": "now-7h",
              "lt": "now"
            }
          },
          "term": {
            "opsgenieAction": "create"
          }
        }
      ]
    }
  }
}

Mark_Harwood · August 11, 2021, 1:15pm

Close. The filter array should have 2 objects [ {...}, {...}] not one.

ankitdevnalkar · August 11, 2021, 1:24pm

I tried the way you suggested, the query was executed successfully but again result is not as expected.

Query :

GET my-index*/_search
{
  "query": {
    "bool": {
      "filter": [
        {
          "range": {
            "date": {
              "gte": "now-7h",
              "lt": "now"
            }
          }
        },
       {
         "term": {
           "opsgenieAction": "create"
         }
       }
      ]
    }
  }
}

Response :

{
  "took" : 250,
  "timed_out" : false,
  "_shards" : {
    "total" : 276,
    "successful" : 276,
    "skipped" : 275,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 0,
      "relation" : "eq"
    },
    "max_score" : null,
    "hits" : [ ]
  }
}

Mark_Harwood · August 11, 2021, 1:26pm

To help further I'd need the following JSON:

Your index mapping
An example doc which you expect to match but doesn't

ankitdevnalkar · August 11, 2021, 1:54pm

sure @Mark_Harwood....Both are as following. I have removed some information, but field names are as it is.

Sample doc:

gist.github.com

https://gist.github.com/ankitdevnalkar/805d69b867a5afd8deb79c587b1c6681#file-sample-document

sample document

{
    "id": "my_id",
    "startDate": "2020-03-15T09:38:20.000Z",
    "enterprise": "my_enterprise_id",
    "isCold": false,
    "confirmedBalanceUnitAmount": 27.90763543,
    "deleted": false,
    "approvalsRequired": 1,
    "type": "hot",
    "users": [

This file has been truncated. show original

mapping of my index :

gist.github.com

https://gist.github.com/ankitdevnalkar/1647dbd49f83d3972fb6c715e03dcfe2#file-index_mapping

index_mapping

"mappings" : {
      "properties" : {
        "@timestamp" : {
          "type" : "date"
        },
        "@version" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",

This file has been truncated. show original

Mark_Harwood · August 11, 2021, 2:12pm

Your example document has no field at the root called date. Your query is expecting that

ankitdevnalkar · August 11, 2021, 2:20pm

@Mark_Harwood got it !!

yeah it works now. Thanks alot

system · September 8, 2021, 2:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.