Search code examples
pythonelkquerying

ELK querying with python - Multiple conditions


I am trying to query the ELK using the following query:

query = {
      "query": {
        "match" : { "event.action" : "ssh_login" },
        "range": {
          "timestamp": {
            "gte": "now-2d/d",
            "lt": "now/d"
          }
        }
      }
    }

But i get the following error:

RequestError: RequestError(400, 'parsing_exception', '[match] malformed query, expected [END_OBJECT] but found [FIELD_NAME]')

I want all the samples where "event.action" is equal to "ssh_login" and i also want to get a specific time window. What is the correct format for the above query? Also i am having problem with specifying the timestamp. The format of the timestamp is [2021-07-14T05:24:07.000Z], how can i use specific timestamps for querying? Thank you !


Solution

  • First of all, it's better to provide more context at least including the following:

    • ES version
    • Python version
    • Elasticsearch python client version
    • index mapping

    That said, I'll make some assumptions and move on.

    • ES : 7.14.0
    • Python : 3.7.7
    • Elasticsearch Python client : 7.14.1
    1. Query

    You have to use bool query to have multiple queries/conditions to find relevant documents.

    from elasticsearch import Elasticsearch
    es = Elasticsearch()
    
    body = {
      'query': {
        'bool': {
          'must': [
            {'term': {'event.action': {'value': 'ssh_login'}}},
            {'range': {'timestamp': {'gte': '2020-01-01T01:01:01.000Z'}}}
          ]
        }
      }
    }
    es.search(index="YOUR INDEX NAME", body=body)
    
    1. Timestamp

    This depends on your mapping. In my example, I used the following mapping.

    {
      'test': {
        'mappings': {
          'properties': {
            'event': {
              'properties': {
                'action': {
                  'type': 'keyword'
                }
              }
            },  
            'timestamp': {
              'type': 'date'
            }
          }
        }
      }
    }
    

    If you specified custom dateformat that is not compatible with the format you are trying to query with, it might raise an error.