Timestamp range with aggregation query

Saurabh_Jambhule · May 9, 2017, 12:39pm

I am trying to get top 5 IP between certain time range with the below query. But it is not working.
Please tell me what is the problem with query and how to fix it?

    {
      "size":0,
      "query": {
        "bool": {
          "must_not": [
            {"match": { "client_ip": "10.107.**.**" }}
          ]
        },
        "range" : {
          "timestamp" : {
              "gte": "2017-03-25 00:00:00", 
              "lte": "now"
          }
        }
      },
      "aggs":{
          "top-terms-aggregation":{  
             "terms":{  
                "field":"client_ip.keyword",
                "size":5
             }
          }
       }
    }

I am getting this error,

{
  "error": {
    "root_cause": [
      {
        "type": "parsing_exception",
        "reason": "[bool] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
        "line": 10,
        "col": 5
      }
    ],
    "type": "parsing_exception",
    "reason": "[bool] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
    "line": 10,
    "col": 5
  },
  "status": 400
}

Thank you.

lwintergerst · May 9, 2017, 2:37pm

Hey Saurabh,
if you want to combine multiple queries - in your case a match and a range query - you will have to use the bool query. You did that sucessfully for the must_not, the only thing you are missing is to also move the range query in a "must". This is how the working query looks like. Note that the only thing that I changed is to move the "range" in a "must":

{
  "size": 0,
  "query": {
    "bool": {
      "must_not": [
        {
          "match": {
            "client_ip": "10.107.**.**"
          }
        }
      ],
      "must": [
        {
          "range": {
            "timestamp": {
              "gte": "2017-03-25 00:00:00",
              "lte": "now"
            }
          }
        }
      ]
    }
  },
  "aggs": {
    "top-terms-aggregation": {
      "terms": {
        "field": "client_ip.keyword",
        "size": 5
      }
    }
  }
}

Saurabh_Jambhule · May 10, 2017, 4:56am

Thank you very much.

system · June 7, 2017, 5:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.