Watcher / Reporting - Timestamp Not Relative in Saved Search URL Export

tyler_hilsabeck · October 21, 2019, 6:21pm

Hi All,

When you export a saved search CSV export URL like this:

The resulting url looks like this:

https://XXXXXX:YYYYY/api/reporting/generate/csv?jobParams=(conflictedTypesFields:!(),fields:!(%27@timestamp%27,src_user,src),indexPatternId:%XXXXXXXXXXXXXX,metaFields:!(_source,_id,_type,_index,_score),searchRequest:(body:(_source:(excludes:!(),includes:!(%27@timestamp%27,src_user,src)),docvalue_fields:!(),query:(bool:(filter:!((bool:(filter:!((bool:(minimum_should_match:1,should:!((match_phrase:(msg:%27XXX%20XXX*%27))))),(bool:(minimum_should_match:1,should:!((match_phrase:(action:%27XXX%20in%27))))))))),must:!((exists:(field:alarm_name)),(range:(%27@timestamp%27:(format:strict_date_optional_time,gte:%272019-10-14T18:11:58.934Z%27,lte:%272019-10-21T18:11:58.934Z%27)))),must_not:!(),should:!())),script_fields:(),sort:!((%27@timestamp%27:(order:desc,unmapped_type:boolean))),stored_fields:!(%27@timestamp%27,src_user,src),version:!t),index:%27XXXXXXXXX-*%27),title:%27XXX%20%7C%20XXX%20XXX%20-%XXXXX%20XXXXXX%27,type:search)

Notice how the date is hardcoded, even though we specified a relative timerange in the export.

This an issue because when you put this URL into a watcher, as recommended here, the resulting data set will always be the same because watcher is always querying the same date range.

What is the best way to get around this? Can I specify a relative date range in the URL? Is there an override condition in Watcher that will solve this?

Thank you!

Bargs · October 21, 2019, 9:09pm

Hi @tyler_hilsabeck, yeah you should be able to manually enter a relative date range in the URL. Try copy pasting the exact text from the URL in your browser when you have the time range you want selected.

Would you mind also submitting an issue for this on our Github repo? IMO this looks like a bug we should fix for everyone.

tyler_hilsabeck · October 22, 2019, 12:52pm

@Bargs

Ticket has been created.

I will give it a shot but the browser URL queries Kibana and not Elasticsearch:

https://XXXXXXXXX:9243/app/kibana#/discover/...

vs.

The generated URL which queries the /api/reporting endpoint:

https://XXXXXXXXXXXX:9243/api/reporting/generate/csv?...

In the interim, do you know if there is a way to manually edit the query that is used in the URL to specify a dynamic date range? I have had trouble finding documentation for the /api/reporting/ with regard to timestamps.

Thanks again!

Bargs · October 22, 2019, 5:45pm

@tyler_hilsabeck thanks! I have labeled this ticket so it gets to the correct team.

Elasticsearch supports date math in its range query, so manually updating the existing range query in the URL with a value like now should work.

system · November 19, 2019, 5:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
CVS export from saved search kibana gives a array as timestamp Kibana	2	702	June 25, 2020
Issue with Automatic CSV Report Generation from Kibana 7.13.4 Kibana elastic-stack-reporting	2	807	August 31, 2021
Download CSV from dashboard panel Kibana	3	1813	May 5, 2021
Feedback on CSV export of saved search in dashboard Kibana	4	625	September 24, 2019
Kibana export CSV from discovery - err:Unsupported content-type of false specified by job output Kibana	1	466	February 25, 2022

Watcher / Reporting - Timestamp Not Relative in Saved Search URL Export

Related topics