I'm using elasticsearch open distro in order to create an alert system. But I have one issue with my elasticsearch query:
"search": {
"indices": ["test_alert"],
"query": {
"size": 3,
"aggregations": {},
"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"gte": "now-1h",
"lte": "now",
"format": "epoch_second"
}
}
}
}
}
}
}
This is the query I use in my open-distro monitor. The problem is the now-1h doesn't seem to work, I always get an empty result. I tried with raw timestamps (in order to match and get results) and it worked well. I don't understand why the range is not working at all when I'm using now-1h.
Here is my mapping:
properties": {
"timestamp": {
"type": "date",
"format": "epoch_second"
},
"value": {
"type": "long"
}
}
Thanks for your help !
Your mapping says timestamp but your query has @timestamp. The two need to be consistently named. BTW there's nothing special about @timestamp -- it's just a convention. You can do range.gte now-1h on any datetime fields.
Correct mapping:
PUT test_alert
{
"mappings": {
"properties": {
"@timestamp": {
"type": "date",
"format": "epoch_second"
},
"value": {
"type": "long"
}
}
}
}