Term query (max) timestamp question

mgolubov55 · December 13, 2018, 7:13pm

Is this kind of query possible?

GET /logstash*/_search
{
"query": {
"term": {"@timestamp": <somehow get the maximum (latest) value for @timestamp>}
}
}

some kind of inline process that gets the value for @timestamp field (???)

NerdSec · December 14, 2018, 5:24am

Hi Michael,

Yes, you can get the Maximum value for timestamp. You will have to use aggregations to get the max value. It cannot be achieved using the term query.

https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-metrics-max-aggregation.html

mgolubov55 · December 14, 2018, 1:05pm

Hello Nerdsec,

My issue is this:

I tried the following, which does not work:

GET /logstash*/_search

{

"aggs" : {

"max_timestamp" : { "max" : { "field" : "@timestamp" } }

},

"query": {

"term": {"@timestamp": "max_timestamp"}

}

I was hoping the “max_timestamp” would act as a variable, inputting the result into the term query.

This is not the case which is why I used the word “pipelining” in my question.

Regards,

Michael

Michael Golubov

QT IT - Trading Tools - US

()

Mark_Harwood · December 14, 2018, 1:48pm

Do you want just the max timestamp or the document with the max timestamp?

mgolubov55 · December 14, 2018, 2:26pm

I want the set of documents with the max timestamp.

Mark_Harwood · December 14, 2018, 2:32pm

You could just sort the docs by timestamp reversed.

mgolubov55 · December 19, 2018, 5:38pm

What I am trying to do is monitor a subset of windows services (11 in this test).
I only want the subset to appear in the dashboard.

The windows.yml file is configured as follows:

module: windows
metricsets: ["service"]
period: 10s

The logstash pipeline selects the limited range of services as follows:
input {
beats {
port => "5044"
}
}

filter {

}

output {
if [windows][service][name] in ["lmhosts", "sppsvc", "UmRdpService", "QWAVE", "CtxMultiTouchSvc", "CtxSCardCertPropSvc", "Schedule", "MRVCSvc", "CitrixUSB", "dot3svc", "WwanSvc" ] {
elasticsearch {
hosts => [ "localhost:9200" ]
}

stdout {codec => rubydebug }
}

}

The refresh rate of the query is every 10 seconds
The following query does not always limit the display in the dashboard to 11 services with the latest date.
Sometimes 22, 14 etc. services are displayed (never more than 22) - I would like the display to always work, displaying 11 services each time - what am I doing wrong?
{
"query": {
"bool": {
"must": {
"range": {
"@timestamp": {
"gte": "now-15s",
"lte": "now"
}
}
}
}
},
"sort" : [
{ "@timestamp": { "order": "desc", "mode": "max" }}
]
}

system · January 16, 2019, 5:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.