Query not working when using timestamp filter

#1

Hello there,
I’m new to using open-distro alerting with my AWS Elasticsearch cluster. I’m trying to set up a query to return how many 200 status code values for a certain timeframe. Below is the query I am using, when using the filter in the query I get zero hits. If I remove the timestamp filter I get hits from the query.

I there a different string or query to use for the timestamp when using open-distro?

{
"size": 0,
"query": {
    "match": {
        "sc_status": {
            "query": "200",
            "operator": "OR",
            "prefix_length": 0,
            "max_expansions": 50,
            "fuzzy_transpositions": true,
            "lenient": false,
            "zero_terms_query": "NONE",
            "auto_generate_synonyms_phrase_query": true,
            "boost": 1
        }
    },
    "filter": {
        "range": {"@timestamp":{"gte": "<{now-5m}>"}}
}}}
#2

Hi @jberto78,

We do provide the parameters {{period_start}} and {{period_end}} which represents the schedule period of the monitor.

I’d suggest double checking your mappings to make sure you have a @timestamp field on the documents you’re querying along with pasting the query in Kibana Dev Tools to verify your query is correct. You could remove the match: sc_status and try just your range query to debug the issue better.

#3

@dbbaughe - Thanks for the feedback, I found what I was doing wrong, it had to do with how I was doing the now-5m in the query. I changed it to “gte”: “now-15m” (removing the <{}>) and I was able to get the results both from Kibana DevTools and from the alerting.

Thanks.