What I'm trying to do is find if a certain timefield is within tolerance of another.
So, for example I want:
entrytime:[@timestamp-4h TO @timestamp+4h]
...where @timestamp is the the timestamp on this logentry (and is my timestamp index)
I will use this to build a visualization (table) that has a count with buckets being on a status field.
You can kind of do this using a scripted field. You can create a scripted field in the index pattern settings. It would be something like this:
doc['entrytime'].value.millis - doc['@timestamp'].value.millis
Let's call this scripted field date_diff. This would give you the number of milliseconds between your two dates. Since 4 hours is equivalent to 14400000 milliseconds, you could then do a search like this (assuming you're using KQL, not Lucene, as Lucene doesn't support Kibana's scripted fields):
date_diff > -14400000 and date_diff < -14400000
Alternatively, you could create a filter (via the Add Filter dialog) where date_diff is between -14400000 and 14400000.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.