0

I have below similar logs.

I have created dummy index and created mapping like below in dev-tools

PUT new
{
  "mappings": {
    "properties": {
      "@timestamp": {
        "type":   "date",
        "format": "yyyy-MM-dd HH:mm:ss.SSS"
      }
    }
  }
}

and indexed data as below,

PUT /new/_doc/1
{
  "@timestamp": "2021-11-05 08:12:14.534",
  "level": "INFO",
  "id": "1",
  "text": "website is accessed",
  "status": "clicked"
}

PUT /new/_doc/2
{
  "@timestamp": "2021-10-14 09:11:14.534",
  "level": "INFO",
  "id": "3",
  "text": "website is accessed",
  "status": "clicked"
}

PUT /new/_doc/3
{
  "@timestamp": "2021-09-09 02:08:20.534",
  "level": "INFO",
  "id": "4",
  "text": "website is accessed",
  "status": "clicked"
}

I am able to fetch the total counts using below request query,

GET new/_search
{
  "aggs": {},
  "size": 0,
  "fields": [],
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "bool": {
            "should": [
              {
                "match_phrase": {
                  "text": "website is accessed"
                }
              }
            ],
            "minimum_should_match": 1
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2021-10-01",
              "lte": "2021-10-30"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }
}

Getting response as below,

{
  "took" : 0,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1,
      "relation" : "eq"
    },
    "max_score" : null,
    "hits" : [ ]
  }
}

As you see, i need to hardcode the date to fetch the value for a particular month i.e to fetch the same information for sept month, I need to modify the date time range as below in curl request,

"range": {
  "@timestamp": {
    "gte": "2021-09-01",
    "lte": "2021-09-30"
    }
    }

Below is the curl call request.

curl -u elastic:xxx  -XGET "http://10.10.10.10:9200/new/_search?pretty" -H 'Content-Type: application/json' -d'
{
  "aggs": {},
  "size": 0,
  "fields": [],
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "bool": {
            "should": [
              {
                "match_phrase": {
                  "text": "website is accessed"
                }
              }
            ],
            "minimum_should_match": 1
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2021-10-01",
              "lte": "2021-10-30"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }
}'

How can I pass year and month dynamically (i.e without actually hardcoding it request itself) to the curl request which will fetch the information for that particular month, year?

update -

I am able to get the results for last month (Nov) or last 2 months (Oct) and so on using below,

last month - Nov -

"gte": "now-M",
"lt": "now/M"

2 months - Oct

"gte": "now-2M/M",
"lte": "now-2M/M"

But is there way to provide desired year and month to retrieve results?

Thanks,

abc
  • 11
  • 3

1 Answers1

0

You can use date math with fully defined dates:

"range": {
  "@timestamp": {
    "gte": "2021-10-01",
    "lte": "2021-10-01||+1M/d"
  }
}
ilvar
  • 111
  • 2
  • Thanks Ok but again in that case, the single curl request can't be used i.e for every new month to get the data of last month, I need to change the timestamp in the curl request i.e for current month Dec, if i have to fetch the data for Nov, then i need to change the `month` in the timestamp and same will have to do when Jan will be the current month and I need to fetch the data for Dec month. Soon i need to change the year also. so this this is not good. I don't want to create separate curl requests for every month, hence i am looking, if I can pass the year and month not via hardcoded way? – abc Dec 03 '21 at 12:15
  • How do you run that `curl`? If it's a bash script you could use bash scripting: `YEAR=2010; MONTH=10; curl ... "range": { "@timestamp": { "gte": "$YEAR-$MONTH-01", "lte": "$YEAR-$MONTH-01||+1M/d" } }` ? – ilvar Dec 03 '21 at 17:51
  • I was running curl as is i.e exactly the same way i have pasted above (without bash script etc..) but yes including this curl in bash script and providing year and month as an variable can be a good option. I will try this. Thanks – abc Dec 04 '21 at 13:12