0

I have below similar logs.

I have created dummy index and created mapping like below in dev-tools

PUT new { "mappings": { "properties": { "@timestamp": { "type": "date", "format": "yyyy-MM-dd HH:mm:ss.SSS" } } } }

and indexed data as below,

PUT /new/_doc/1 { "@timestamp": "2021-11-05 08:12:14.534", "level": "INFO", "id": "1", "text": "website is accessed", "status": "clicked" } PUT /new/_doc/2 { "@timestamp": "2021-10-14 09:11:14.534", "level": "INFO", "id": "3", "text": "website is accessed", "status": "clicked" } PUT /new/_doc/3 { "@timestamp": "2021-09-09 02:08:20.534", "level": "INFO", "id": "4", "text": "website is accessed", "status": "clicked" }

I am able to fetch the total counts using below request query,

GET new/_search { "aggs": {}, "size": 0, "fields": [], "query": { "bool": { "must": [], "filter": [ { "bool": { "should": [ { "match_phrase": { "text": "website is accessed" } } ], "minimum_should_match": 1 } }, { "range": { "@timestamp": { "gte": "2021-10-01", "lte": "2021-10-30" } } } ], "should": [], "must_not": [] } } }

Getting response as below,

{ "took" : 0, "timed_out" : false, "_shards" : { "total" : 1, "successful" : 1, "skipped" : 0, "failed" : 0 }, "hits" : { "total" : { "value" : 1, "relation" : "eq" }, "max_score" : null, "hits" : [ ] } }

As you see, i need to hardcode the date to fetch the value for a particular month i.e to fetch the same information for sept month, I need to modify the date time range as below in curl request,

"range": { "@timestamp": { "gte": "2021-09-01", "lte": "2021-09-30" } }

Below is the curl call request.

curl -u elastic:xxx -XGET "http://10.10.10.10:9200/new/_search?pretty" -H 'Content-Type: application/json' -d' { "aggs": {}, "size": 0, "fields": [], "query": { "bool": { "must": [], "filter": [ { "bool": { "should": [ { "match_phrase": { "text": "website is accessed" } } ], "minimum_should_match": 1 } }, { "range": { "@timestamp": { "gte": "2021-10-01", "lte": "2021-10-30" } } } ], "should": [], "must_not": [] } } }'

How can I pass year and month dynamically (i.e without actually hardcoding it request itself) to the curl request which will fetch the information for that particular month, year?

update -

I am able to get the results for last month (Nov) or last 2 months (Oct) and so on using below,

last month - Nov -

"gte": "now-M", "lt": "now/M"

2 months - Oct

"gte": "now-2M/M", "lte": "now-2M/M"

But is there way to provide desired year and month to retrieve results?

Thanks,

Improve this question

1 Answer 1

Reset to default
0

You can use date math with fully defined dates:

"range": { "@timestamp": { "gte": "2021-10-01", "lte": "2021-10-01||+1M/d" } }
Improve this answer
3
  • Thanks Ok but again in that case, the single curl request can't be used i.e for every new month to get the data of last month, I need to change the timestamp in the curl request i.e for current month Dec, if i have to fetch the data for Nov, then i need to change the month in the timestamp and same will have to do when Jan will be the current month and I need to fetch the data for Dec month. Soon i need to change the year also. so this this is not good. I don't want to create separate curl requests for every month, hence i am looking, if I can pass the year and month not via hardcoded way? Commented Dec 3, 2021 at 12:15
  • How do you run that curl? If it's a bash script you could use bash scripting: YEAR=2010; MONTH=10; curl ... "range": { "@timestamp": { "gte": "$YEAR-$MONTH-01", "lte": "$YEAR-$MONTH-01||+1M/d" } } ? Commented Dec 3, 2021 at 17:51
  • I was running curl as is i.e exactly the same way i have pasted above (without bash script etc..) but yes including this curl in bash script and providing year and month as an variable can be a good option. I will try this. Thanks Commented Dec 4, 2021 at 13:12

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.