I would like to get the number of documents that matches a specific string within a time range.
How can I specify a time range from this query?
GET myindex/_count
{
"query": {
"match" : {
"log" : "ERROR"
}
}
}
To get a time range:
{
"query": {
"range": {
"msgSubmissionTime": {
"gte": "now-10m",
"lt": "now"
}
}
}
}
Is there a way to combine both queries?
The guys above me are correct, but they both added redundant [,] for the must which implies a query of more than on match field.
GET _search
{
"query": {
"bool" : {
"must" : {
"match" : { "log": "ERROR" }
},
"filter":
{
"range": {
"msgSubmissionTime": {
"gte": "now-10m",
"lte": "now"
}
}
}
}
}
}
Sure you can. It can be done in two ways: with filtering and boolean query.
Elastic recommends to use filters to prefilter results - they are faster then queries.
Boolean queries can geather different queries by AND, OR, NOT operators.
In official Elastic docs you can find example that almost fits your question - elasticsearch documentation
So your query will be like:
{
"query": {
"bool": {
"must": [
{
"match": {
"log": "ERROR"
}
}
],
"filter": {
"range": {
"msgSubmissionTime": {
"gte": "now-10m",
"lte": "now"
}
}
}
}
}
}
try this.
{
"query": {
"bool": {
"filter": {
"range": {
"msgSubmissionTime": {
"gte": "now-10m",
"lt": "now"
}
}
},
"must": [
{
"term": {
"log" : "ERROR"
}
}
]
}
}
}
