Join Log in
Score:0
abc avatar Server

How to pass values to query externally

ng flag
abc

I have below similar logs.

I have created dummy index and created mapping like below in dev-tools

PUT new
{
  "mappings": {
    "properties": {
      "@timestamp": {
        "type":   "date",
        "format": "yyyy-MM-dd HH:mm:ss.SSS"
      }
    }
  }
}

and indexed data as below,

PUT /new/_doc/1
{
  "@timestamp": "2021-11-05 08:12:14.534",
  "level": "INFO",
  "id": "1",
  "text": "website is accessed",
  "status": "clicked"
}

PUT /new/_doc/2
{
  "@timestamp": "2021-10-14 09:11:14.534",
  "level": "INFO",
  "id": "3",
  "text": "website is accessed",
  "status": "clicked"
}

PUT /new/_doc/3
{
  "@timestamp": "2021-09-09 02:08:20.534",
  "level": "INFO",
  "id": "4",
  "text": "website is accessed",
  "status": "clicked"
}

I am able to fetch the total counts using below request query,

GET new/_search
{
  "aggs": {},
  "size": 0,
  "fields": [],
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "bool": {
            "should": [
              {
                "match_phrase": {
                  "text": "website is accessed"
                }
              }
            ],
            "minimum_should_match": 1
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2021-10-01",
              "lte": "2021-10-30"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }
}

Getting response as below,

{
  "took" : 0,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1,
      "relation" : "eq"
    },
    "max_score" : null,
    "hits" : [ ]
  }
}

As you see, i need to hardcode the date to fetch the value for a particular month i.e to fetch the same information for sept month, I need to modify the date time range as below in curl request,

"range": {
  "@timestamp": {
    "gte": "2021-09-01",
    "lte": "2021-09-30"
    }
    }

Below is the curl call request.

curl -u elastic:xxx  -XGET "http://10.10.10.10:9200/new/_search?pretty" -H 'Content-Type: application/json' -d'
{
  "aggs": {},
  "size": 0,
  "fields": [],
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "bool": {
            "should": [
              {
                "match_phrase": {
                  "text": "website is accessed"
                }
              }
            ],
            "minimum_should_match": 1
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2021-10-01",
              "lte": "2021-10-30"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }
}'

How can I pass year and month dynamically (i.e without actually hardcoding it request itself) to the curl request which will fetch the information for that particular month, year?

update -

I am able to get the results for last month (Nov) or last 2 months (Oct) and so on using below,

last month - Nov -

"gte": "now-M",
"lt": "now/M"

2 months - Oct

"gte": "now-2M/M",
"lte": "now-2M/M"

But is there way to provide desired year and month to retrieve results?

Thanks,

28
0 + 0
elk
Score:0
avatar Server
ng flag
ilvar

You can use date math with fully defined dates:

"range": {
  "@timestamp": {
    "gte": "2021-10-01",
    "lte": "2021-10-01||+1M/d"
  }
}
0 + 0
abc avatar
ng flag
abc
Thanks Ok but again in that case, the single curl request can't be used i.e for every new month to get the data of last month, I need to change the timestamp in the curl request i.e for current month Dec, if i have to fetch the data for Nov, then i need to change the `month` in the timestamp and same will have to do when Jan will be the current month and I need to fetch the data for Dec month. Soon i need to change the year also. so this this is not good. I don't want to create separate curl requests for every month, hence i am looking, if I can pass the year and month not via hardcoded way?
0
Reply
ng flag
ilvar
How do you run that `curl`? If it's a bash script you could use bash scripting: `YEAR=2010; MONTH=10; curl ... "range": { "@timestamp": { "gte": "$YEAR-$MONTH-01", "lte": "$YEAR-$MONTH-01||+1M/d" } }` ?
0
Reply
abc avatar
ng flag
abc
I was running curl as is i.e exactly the same way i have pasted above (without bash script etc..) but yes including this curl in bash script and providing year and month as an variable can be a good option. I will try this. Thanks
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.