0

To try this error I have tried with Elasticsearch 2.x and 5.x but doesn't work in any of these.

I have lots of logs saved in my Elasticsearch instance. They have a field called timestamp whose format is "YYYY-MM-dd HH-mm-ss.SSS" (for example, "2017-11-02 00:00:00.000"). When I try to send a query via POSTMAN which is this:

{
  "query": {
    "range": {
        "timestamp": {
          "gte": "2017-10-21 00:00:00.000",
          "lte": "2017-10-27 00:00:00.000"
        }
      }
  }
}

I receive nothing and I there are more than 500 logs in that range. What am I doing wrong?

EDIT: My index (loganalyzer):

{
  "loganalyzer" : {
    "aliases" : { },
    "mappings" : {
      "logs" : {
        "properties" : {
          "entireLog" : {
            "type" : "string"
          },
          "formattedMessage" : {
            "type" : "string"
          },
          "id" : {
            "type" : "string"
          },
          "level" : {
            "type" : "string"
          },
          "loggerName" : {
            "type" : "string"
          },
          "testNo" : {
            "type" : "string"
          },
          "threadName" : {
            "type" : "string"
          },
          "timestamp" : {
            "type" : "string"
          }
        }
      }
    },
    "settings" : {
      "index" : {
        "refresh_interval" : "1s",
        "number_of_shards" : "5",
        "creation_date" : "1507415366223",
        "store" : {
          "type" : "fs"
        },
        "number_of_replicas" : "1",
        "uuid" : "9w3QQQc0S0K0NcKtOERtTw",
        "version" : {
          "created" : "2040699"
        }
      }
    },
    "warmers" : { }
  }
}

What I receive sending the request:

{
    "took": 429,
    "timed_out": false,
    "_shards": {
        "total": 5,
        "successful": 5,
        "failed": 0
    },
    "hits": {
        "total": 0,
        "max_score": null,
        "hits": []
    }
}

And status 200 (OK).

Improve this question
8
  • Maybe POSTMAN is not doing the right thing. Try with curl. Commented Nov 2, 2017 at 13:47
  • Are you getting any response/error message? Try to expand your range, maybe you'll see some data Commented Nov 2, 2017 at 13:49
  • 2
    Can you show the mapping of your timestamp field? curl -XGET localhost:9200/your_index Commented Nov 2, 2017 at 13:52
  • As @Val said, seeing your mappings should make this a relatively simple fix Commented Nov 2, 2017 at 13:56
  • 2
    There you go, timestamp is of type string while it should be a date instead for your range query to work as expected Commented Nov 2, 2017 at 14:53

1 Answer 1

Reset to default
2

Your edit with the mappings indicates the problem. The reason you aren't getting any result is because it's attempting to find a "range" for the string you're providing against the values of the field in your index, which are also treated as a string.

      "timestamp" : {
        "type" : "string"
      }

Here's the elastic documentation on that mapping type

You need to apply a date mapping to that field before indexing, or reindex to a new index that has that mapping applied prior to ingestion.

Here is what the mapping request could look like, conforming to your timestamp format:

PUT loganalyzer
{
  "mappings": {
    "logs": {
      "properties": {
        "timestamp": {
          "type":   "date",
          "format": "YYYY-MM-dd HH-mm-ss.SSS"
        }
      }
    }
  }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.