Like the query asked here
Hi there
I have a stack of data, each of the documents has a name and a description. A name could look like this: 'Runtimeerror [-191]'. But the number isn't allways the same (Range from -1 to -100'000). I know that I can query them with a wildcard like:
GET /_search
{
"query": {
"wildcard" : { "Title" : "Runtimeerror *" }
}
}
Is it possible to do a query like the one above but with timelion?
The data also contains a timestamp.
I have something in mind like this: .es(index=*, q='Titl…
Is there a way to get Timelion querys to accept spaces, I understand the query is a lucene query
The query I have in question is (which works perfectly well):
logger: SomeLogger+Monitoring AND message:"something happened when"
The Timelion expression I have is:
.es(index=indexName*,timefield=@timestamp,q=logger:SomeLogger+Monitoring AND message:"something happened when").lines(fill=2, width=3).color(red).label("Monitoring Events")
The below does not work either:
.es(index=indexName*,timefield=@timestamp,q=logger:SomeLogger+Monitoring AND message:something happened when).lines(fill=2, width=3).color(red).label("Monitoring Events")
Exception = Timelion: SyntaxError: {"type":"incompleteFunction","function":"es","location":{"min":0,"max":3},"text":".es"}
q=logger:SomeLogger+Monitoring\ AND\ message:something\ happened\ when
Will not work either
As per
Try using either quotes, or if you have a non-analyzed field with the same data, you can point to that. Elasticsearch might have created one for you automatically depending on how you set up your mappings, and what version you are using - you can check this out in the Index patterns page of management:
[28 AM]
the .keyword one above is the one that won't strip out special characters. So here are a few examples:
The query as you wrote it, returns too many matches:
[19 AM]
Adding quotes r…
Looks like you need q='message:"something happened"'
single quotes with inner quotes
1 Like
system
(system)
Closed
May 1, 2018, 7:41am
4
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.