Watcher / Reporting - Timestamp Not Relative in Saved Search URL Export

tyler_hilsabeck · October 21, 2019, 6:21pm

Hi All,

When you export a saved search CSV export URL like this:

The resulting url looks like this:

https://XXXXXX:YYYYY/api/reporting/generate/csv?jobParams=(conflictedTypesFields:!(),fields:!(%27@timestamp%27,src_user,src),indexPatternId:%XXXXXXXXXXXXXX,metaFields:!(_source,_id,_type,_index,_score),searchRequest:(body:(_source:(excludes:!(),includes:!(%27@timestamp%27,src_user,src)),docvalue_fields:!(),query:(bool:(filter:!((bool:(filter:!((bool:(minimum_should_match:1,should:!((match_phrase:(msg:%27XXX%20XXX*%27))))),(bool:(minimum_should_match:1,should:!((match_phrase:(action:%27XXX%20in%27))))))))),must:!((exists:(field:alarm_name)),(range:(%27@timestamp%27:(format:strict_date_optional_time,gte:%272019-10-14T18:11:58.934Z%27,lte:%272019-10-21T18:11:58.934Z%27)))),must_not:!(),should:!())),script_fields:(),sort:!((%27@timestamp%27:(order:desc,unmapped_type:boolean))),stored_fields:!(%27@timestamp%27,src_user,src),version:!t),index:%27XXXXXXXXX-*%27),title:%27XXX%20%7C%20XXX%20XXX%20-%XXXXX%20XXXXXX%27,type:search)

Notice how the date is hardcoded, even though we specified a relative timerange in the export.

This an issue because when you put this URL into a watcher, as recommended here, the resulting data set will always be the same because watcher is always querying the same date range.

What is the best way to get around this? Can I specify a relative date range in the URL? Is there an override condition in Watcher that will solve this?

Thank you!

Bargs · October 21, 2019, 9:09pm

Hi @tyler_hilsabeck, yeah you should be able to manually enter a relative date range in the URL. Try copy pasting the exact text from the URL in your browser when you have the time range you want selected.

Would you mind also submitting an issue for this on our Github repo? IMO this looks like a bug we should fix for everyone.

tyler_hilsabeck · October 22, 2019, 12:52pm

@Bargs

Ticket has been created.

I will give it a shot but the browser URL queries Kibana and not Elasticsearch:

https://XXXXXXXXX:9243/app/kibana#/discover/...

vs.

The generated URL which queries the /api/reporting endpoint:

https://XXXXXXXXXXXX:9243/api/reporting/generate/csv?...

In the interim, do you know if there is a way to manually edit the query that is used in the URL to specify a dynamic date range? I have had trouble finding documentation for the /api/reporting/ with regard to timestamps.

Thanks again!

Bargs · October 22, 2019, 5:45pm

@tyler_hilsabeck thanks! I have labeled this ticket so it gets to the correct team.

Elasticsearch supports date math in its range query, so manually updating the existing range query in the URL with a value like now should work.

system · November 19, 2019, 5:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.