View Data from specific index over 24hr period

Wilks · November 11, 2021, 2:06am

Hi,
I am trying to come up with a way to view the data from a field within Elasticsearch index called "dns.highest_registered_domain" over a 24 hour period. I have come up with the following but I am not sure if it is over 24hrs, also is there a way to just display the data in the "dns.highest_registered_domain field"? without getting getting all the other fields

GET /index-*/_search
{
    "query": {
        "exists": {
            "field": "dns.highest_registered_domain"
        }
    }
}

stephenb · November 11, 2021, 2:22am

First I would probably use the Discover App in Kibana get a sense.

But query could look like this.

To just get the fields want here

You need to include a range filter.

Perhaps take a look here.

You also want to understand Query + Filter Context here

GET /indext-*/_search
{
  "fields": [
    "dns.highest_registered_domain"
  ],
  "query": {
    "bool": {
      "must": {
        "exists": {
          "field": "dns.highest_registered_domain"
        }
      },
      "filter": {
        "range": {
          "@timestamp": {
            "gte": "now-24h/h"
          }
        }
      }
    }
  }
}

Wilks · November 11, 2021, 2:11pm

stephenb:

{
    "fields" : ["dns.highest_registered_domain"],
    "query": {
        "exists": {
            "field": "dns.highest_registered_domain"
        }
    },
    "filter": [ 
        { "range": { "@timestamp": { "gte": "now-24h/h" }}}
  ]
}

Thanks. This works if I remove everything below the "filter": statement. If I leave it in I get, I just cant figure out how to structure the "filter': statement to get it to pull over 24hrs

{
  "error" : {
    "root_cause" : [
      {
        "type" : "parsing_exception",
        "reason" : "Unknown key for a START_ARRAY in [filter].",
        "line" : 8,
        "col" : 15
      }
    ],
    "type" : "parsing_exception",
    "reason" : "Unknown key for a START_ARRAY in [filter].",
    "line" : 8,
    "col" : 15
  },
  "status" : 400
}

stephenb · November 11, 2021, 2:48pm

@Wilks

Apologies... I am not sure what I pasted in above.. I fixed it... so that someone looking does not have the same experience as you.. Sorry again for that.

Here is the correct syntax...

This is based on the concept of Query + Filter Context its needs a bool, and both the Query and Filter can be arrays but in this case a single element can work.

GET /index-*/_search
{
  "fields": [
    "dns.highest_registered_domain"
  ],
  "query": {
    "bool": {
      "must": {
        "exists": {
          "field": "dns.highest_registered_domain"
        }
      },
      "filter": {
        "range": {
          "@timestamp": {
            "gte": "now-24h/h"
          }
        }
      }
    }
  }
}

system · December 9, 2021, 2:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.