2

I want to perform a query using SQL syntax in elastic search using URL /_sql and use in the where clause a filter for dates. So far if in the body I use this query

{
    "query": "SELECT count(*) from logstash where Severity='ERROR'"
}

I get some results, then if I try to filter by @timestamp

{
    "query": "SELECT Time from logstash where Severity='ERROR'  and '@timestamp' > NOW() - INTERVAL 30 MINUTES"
}

And instead of getting 0 in the count or a shorter number than before I simply get nothing if I remove the quotes around @timestamp there it raises an error (not expecting the @ symbol), and if I use timestamp then suggest me to use @timestamp as timestamp is not a valid field.

How can I filter by @timestamp? Or how should I escape the @ symbol for the field?

Improve this question

1 Answer 1

Reset to default
4

Instead of surrounding with simple quotes I needed to surround with double quotes, so:

{
    "query": "SELECT count(*) from logstash where Severity='ERROR' and \"@timestamp\" > NOW() - INTERVAL 30 MINUTES"
}

worked.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.