Subtracting time in elasticsearch query

Mahdy_S · November 29, 2016, 3:41pm

If I want to query event in a "relative" time window, I can do it in elasticsearch if my reference point is the current time "now". So I can say I want to query documents in the last 24 hours by sending the following query:

GET _search
{
	"query" : {
		"range":{
			"@timestamp" : {
				"gte":"now-1d",
				"lt":"now"
			}
		}
	}
}

However, I can't find a way to do this based on a timestamp that I can specify. So what I need is something similar to e.g. {"gte":"2016-11-13T18:35:08.219Z-1d","lt":"2016-11-13T18:35:08.219Z"}. Is there any query format which makes this possible?

nik9000 · November 29, 2016, 7:04pm

It looks like you can replace now with a date string ending in ||. So says the docs. So I expect "gte":"2016-11-13T18:35:08.219Z||-1d","lt":"2016-11-13T18:35:08.219Z"} to work.

Mahdy_S · November 30, 2016, 7:55am

Yes this works. Thanks a lot!

system · December 28, 2016, 7:55am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.