Update by query date field (painless) and add hours

Elastic Stack Elasticsearch
1

Hi,
Some basics in painless (the painful syntax)
Trying to update a filed to have the timestamp value + X hours.

I was trying the following

POST index*/_update_by_query
{
  "script": {
    "source": "ctx._source.timestamp_shifted = ctx._source.timestamp + 39600",
    "lang": "painless"
  },
  "query": {
          "term": {
                  "msg_source_type_name.keyword": "xxx"
          }
  }
}

POST index*/_update_by_query
{
  "script": {
    "source": "ctx._source.timestamp_shifted = ctx._source.timestamp.plusHours(11)",
    "lang": "painless"
  },
  "query": {
          "term": {
                  "msg_source_type_name.keyword": "xxx"
          }
  }
}

Anyone can point me to the right syntax?

Cheers!

2

Hey,

if you access the _source the field of your date will be a simple string, so you need to parse it as a date first, i.e. using ZonedDateTime.parse(), and then you can call that .plusHours() method.

Hope that helps as a start.

--Alex

3

@spinscale
Thanks for that.
Have an example? Or documentation?
Having syntax issues again.
Cheers!

4

There is a snippet of local date time parsing in the [examples repo](https://github.com/elastic/examples/blob/master/Alerting/Sample Watches/lateral_movement_in_user_comm/scripts/lower_time.json) that could help you.