How do I use the search API to query over a period of time? (last 15mins) and also to limit the output to a size of 1.
I have the below working, but that searches for everything up to 10,000 docs.
POST index/_search?q=host:FW1
Is it not possible to pass it all in one request? Rather than adding the json?
It's actually searching for more than that. If you have 1m documents matching all of them are "searched". The number of hits you have in the response basically tells you that we found at least 10000 documents matching.
You can have the exact number but this optional.
Setting size: 1 will just return the first top document (sorted by _score) but it will still search for everything.
Yes. I don't like it but you can: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html#_ranges
Perfect thank you.
Last question - When we set the size to one, is it possible to limit the response output so that we don't get the hits array returned? Only that there is a total of "1" hit.
The range doesn't seem to affect the amount of "hits" that are brought back.
Even when setting it to now-1s it still says there are 10,000. Is that because you mentioned it searches everything regardless of the size? Can it not search only for the last 5minutes, like we can using the discover tool and KQL? This is because do not want the request to take any noticeable period of time once there are more logs stored in ES.
POST index/_search?q=host:FW1
{
"size": 1,
"query": {
"range": {
"timestamp": {
"gte": "now-1s"
}
}
}
}you can't use both URI syntax and body.
So you should use a bool query with a filter array containing your range query and probably a match query on field host with value FW1.
Again size only tells you how many documents you want to return back within the response. Like the size of the page. 10 documents per "page" is the default value.
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.