I want to run 2 filters for the data. The data should be in a time range and should have a severity of particular type. I am getting an empty response.
{"query": {
"bool":{
"filter":[
{"term": {
"severity.keyword":"Critical"
}
},
{"range": {
"start_time": {
"gte": "now-1d/d",
"lte": "now/d"
}
}
}
]
}}}
Here's a sample doc:
"_index": "historical_alerts-000035",
"_type": "_doc",
"_id": "L3KCe4IB5gpwX0ta7_iA",
"_score": 0,
"_source": {
"stack": "M2",
"organization": "Terminals",
"data_center": "notset",
"element_name": "dshdn4n34n34n3",
"instance_name": "",
"class_name": "Multimedia VSAT",
"nmd": "notset",
"dynamic_app_name": "Internal",
"policy_name": "App Exception",
"severity": "Minor",
"user_id": "undef",
"start_time": 1659922229000,
"stop_time": 1659924089000,
"clear_duration": 1860,
"event_id": "63964892",
"event_text": "App: 58, Snippet: 53 reported a collection problem (Explanation: SNMP error returned)",
"value": null,
"user_acked": null,
"user_del": null,
"ack_time": 0
}
}
And yes this doc has severity as Minor but I have tried that filter as well in combination with date but got no results back.
Here's the mapping
{
"mappings": {
"_doc": {
"dynamic": "true",
"dynamic_date_formats": [
"strict_date_optional_time",
"yyyy/MM/dd HH:mm:ss Z||yyyy/MM/dd Z"
],
"dynamic_templates": [],
"date_detection": true,
"numeric_detection": false,
"properties": {
"ack_time": {
"type": "long"
},
"class_name": {
"type": "text",
"index_options": "docs",
"norms": false
},
"clear_duration": {
"type": "float",
"ignore_malformed": false,
"coerce": true
},
"data_center": {
"type": "text",
"index_options": "docs",
"norms": false
},
"dynamic_app_name": {
"type": "text"
},
"element_name": {
"type": "text"
},
"event_id": {
"type": "long"
},
"event_text": {
"type": "text"
},
"instance_name": {
"type": "text"
},
"nmd": {
"type": "text"
},
"organization": {
"type": "text"
},
"policy_name": {
"type": "text"
},
"severity": {
"type": "text"
},
"stack": {
"type": "text"
},
"start_time": {
"type": "date",
"format": "epoch_millis"
},
"stop_time": {
"type": "date",
"format": "epoch_millis"
},
"user_acked": {
"type": "text"
},
"user_del": {
"type": "text"
},
"user_id": {
"type": "text"
},
"value": {
"type": "long"
}
}
}
}
}
The "severity" field is a "text" type that generates the "minor" token (value of the example you sent). You use the filter with the "term" clause (this clause requires the exact match of the term), ie "minor" != "Minor". To work you would have to map the field "severity" as a keyword as well.
For your query to work without changing the mapping you can do this:
"filter": [
{
"term": {
"severity": "minor"
}
},
{
"range": {
"start_time": {
"gte": "now-1d/d",
"lte": "now/d"
}
}
}
]