I am trying to use a date range for a query using a field other than @timestamp. I can't figure out what I'm doing wrong.
Here is the original query that works and uses @timestamp:
{
"size": 500,
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "+\"MeetingStartedEvent\"",
"analyze_wildcard": true
}
},
{
"range": {
"@timestamp": {
"gte": 1533224298156,
"lte": 1533231149003,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
},
"_source": [ "meetingId", "event_time" ]
}
It returns plenty of results, one of which looks like this:
{
"_index" : "logstash-2018.08.02",
"_type" : "foo",
"_id" : "AWT7qhivumgVPlrZNYdf",
"_score" : 16.294584,
"_source" : {
"meetingId" : "1487972933889",
"event_time" : "2017-02-24 21:49:07"
}
}
The problem is that I don't want to filter based on when the log makes it into ES. I want to filter based on when the event happened (in this case, event_time). So I used this documentation and changed my range filter to look like this:
"range": {
"event_time": {
"format": "yyyy-MM-dd HH:mm:ss",
"gte": "2017-02-24 00:00:00",
"lte": "2017-02-24 11:59:59"
}
}
I expected I would get the same result as the one listed above (plus a handful of others); instead, I get this:
{
"took" : 75,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
},
"hits" : {
"total" : 0,
"max_score" : null,
"hits" : [ ]
}
}
Any idea what I'm missing?