I can't work out if there are any question from your first post which you still need answers to but I have tried to answer the questions in your second post below. If you still have questions from your first post that you would like answered (or have other questions on date math) let me know.
the /X operator (where X is a time period like d) will round back in time to the nearest start of that time period. So /d will round back to the start of the day, whereas /M would round back to the start of the month.
So if it is 2015-08-15 12:01:00 currently:
now/d = 2015-08-15 00:00:00
now-1h/d = (2015-08-15 11:01:00)/d = 2015-08-15 00:00:00
now+1h/d = (2015-08-15 13:01:00)/d = 2015-08-15 00:00:00
now-13h/d = (2015-08-14 23:01:00)/d = 2015-08-14 00:00:00
now/d-1h = (2015-08-15 00:00:00) - 1h = 2015-08-14 23:00:00
now/d+1h = (2015-08-15 00:00:00) + 1h = 2015-08-15 01:00:00
now/d-13h = (2015-08-15 00:00:00) - 13h = 2015-08-14 11:00:00
Does that make sense?
To pick a couple of the questions from your first post:
try this:
"filter": {
"bool": {
"must": [
{ "range": { "@timestamp" : { "gte" : "now/M" }}}
]
}
},
If now is 2015-08-18 11:00:00 then:
now/M = 2015-08-01 00:00:00
So the above query will match everything from 1st August 2015 onwards
Your second example should work here:
"filter": {
"bool": {
"must": [
{ "range": { "@timestamp" : { "gte" : "now-1d/d" }}},
{ "range": { "@timestamp" : { "lt" : "now/d" }}}
]
}
},
Because if now is 2015-08-18 11:00:00 then:
now-1d/d = (2015-08-17 11:00:00)/d = 2015-08-17 00:00:00
now/d = 2015-08-18 00:00:00
So the problem here could be timezones (timezones are hard). When you ingest your data does it contain a timezone? What is the timezone of your server? What is the timezones of the results when they are displayed (could you show a snippet of some of the erroneous hits?)?
HTH