Timestamp search between two fields

Farah_Bhr · March 31, 2023, 12:54pm

In my use case, I created two fields for the values of start_time and end_time based on some indicators in the log lines
with kibana discover , I want to search for all the log lines that their timestamp is between these two fields start_time and end_time
any ideas please?

stephenb · April 1, 2023, 3:30pm

Hi @Farah_Bhr

It would look something like this but with your field names

@timestamp >= "2023-03-28T16:31:07.611Z" and event.ingested <= "2023-03-29T16:31:07.611Z"

Farah_Bhr · April 2, 2023, 12:56am

Hello , thank you for your response
I didn't understand exactly your use case
In fact I know there is such an option with >= and < , but I want to search for the @timestamp between two already defined fields , meaning , instead of searching with timestamp values like this :

{
          "range": {
            "@timestamp": {
              "gte": "2023-03-03T15:00:00.000Z",
              "lte": "2023-03-03T17:00:00.000Z"
            }
          }
        }

I want to change it to something similar to this (or using dynamic variables):

{
          "range": {
            "@timestamp": {
              "gte": "start_time",
              "lte": "end_time"
            }
          }
        }

With start_time and end_time are fields I defined so that "gte" and "lte" take the values of start_time and end_time fields
I don't know if there is a way to do so ?
If you can help me with this
Thank you in advance

stephenb · April 2, 2023, 2:15am

Kibana Discover KQL or filters do not operate on the value within another field, they operate on discreet values.

Where / How were you thinking you would define the start and end time values?.. in a Document?

Farah_Bhr · April 2, 2023, 11:32am

Ah okay , so this is not possible

I thought of it because in my use case , I have a lot of logs and I want to search in the log lines for an id and its flow (all logs lines related to that id) in the logs , and for every id I have indicators in the message log lines knowing that this specific id started and finished.
For example, when I have this message in the log lines "Created new id 0x56789" , I know that the flow of this specific id started , so that's why I thought of creating with logstash a new field to detect the start_time and end_time

If you have any ideas or if you can help me with this ?
Thank you

system · April 30, 2023, 11:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Timestamp range in elasticsearch Kibana	9	9135	July 6, 2017
Search a date time field based off another date time field in the same log entry Kibana	2	364	May 30, 2019
Passing dynamic values to range query Elasticsearch	1	264	April 28, 2023
Query documents using multiple time fields Kibana	2	617	July 17, 2017
Add a time field in elasticsearch and calculate time between two event Logstash docker	4	380	June 28, 2022

Timestamp search between two fields

Related topics