Quiet servers search

I am trying to write a query that will show what servers have not logged in the last 15 minutes but were logging a day ago. I am using Elasticsearch 5.2. Here is what I have:

POST _search
{
  "size":0,
  "query":{
    "bool":{
      "should":[
        {
          "range":{
            "@timestamp":{"gt":"now-15m", "lte":"now"}
          }
        },
        {
          "range":{
            "@timestamp":{"gt":"now-1d-1h", "lte":"now-1d"}
          }
        }
      ]
    }
  },
  "aggs":{
    "what":{
      "terms":{"field":"hostname.keyword"},
      "aggs":{
        "when":{
          "range":{
            "field":"@timestamp",
            "ranges":[
              {"from":"now-1d"},
              {"to":"now-1d"}
            ]
          }
        }
      }
    }
  }
}

I have two problems with this. It only returns 10 hosts and all of them have 0 in the bucket that should have the "now-15m" logs. Example:

{
  "key": "icarus.11-e.ninja",
  "doc_count": 4174,
  "when": {
    "buckets": [
      {
        "key": "*-2017-03-14T20:02:18.235Z",
        "to": 1489521738235,
        "to_as_string": "2017-03-14T20:02:18.235Z",
        "doc_count": 4174
      },
      {
        "key": "2017-03-14T20:02:18.235Z-*",
        "from": 1489521738235,
        "from_as_string": "2017-03-14T20:02:18.235Z",
        "doc_count": 0
      }
    ]
  }
}

I feel like I'm missing a size option somewhere, but I'm not sure.

So on further debugging it doesn't always have 'doc_count: 0' in the second bucket but often does.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.