Newbie question on ElasticSearch:
I have following data with http://localhost:9200/tutorial/_doc/7:
"_index":"tutorial","_type":"_doc","_id":"7","_version":3,"_seq_no":25,"_primary_term":2,"found":true,
"_source":{
"message": "error",
"@timestamp": "2022-05-16T09:40:00"
}
and I'm trying to find all records with @timestamp between 2022-05-16T09:30:00 and 2022-05-16T09:50:00 with following request:
POST http://localhost:9200/tutorial/_search
Content-Type: application/json
{
"query": {
"bool": {
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp.keyword": {
"gt": "2022-05-16T09:30:00",
"lte": "2022-05-16T09:50:00"
}
}
}
]
}
}
}
}
}
The question I have, is that why do I have to use @timestamp.keyword but not just @timestamp for the value under range? If I use the one without keyword, I'll get nothing back.
A bit context, I'm setting up Elastalert which requires a @timestamp field. I checked that the requests it sends to ElasticSearch put @timestamp as the range without keyword, therefore it's not giving me any value.
Result for http://localhost:9200/tutorial if it helps:
{
"tutorial":{
"aliases":{
},
"mappings":{
"properties":{
"@timestamp":{
"type":"text",
"fields":{
"keyword":{
"type":"keyword",
"ignore_above":256
}
},
"fielddata":true
},
"message":{
"type":"text",
"fields":{
"keyword":{
"type":"keyword",
"ignore_above":256
}
}
}
}
},
"settings":{
"index":{
"routing":{
"allocation":{
"include":{
"_tier_preference":"data_content"
}
}
},
"number_of_shards":"1",
"provided_name":"tutorial",
"creation_date":"1652405360958",
"number_of_replicas":"1",
"uuid":"OuynpaOiRyqQ1sj-b2xuYw",
"version":{
"created":"7170399"
}
}
}
}
}
CodePudding user response:
Your @timestamp field is not mapped correctly, as text/keyword field types are not appropriate for date values. You need to change your mapping to this instead:
"@timestamp":{
"type":"date"
},
Then you'll be able to run your range query on @timestamp