I am looking for examples with the syntax of different elasticsearch queries to get some selected fields from several daily-based indices (one index per day, for the last 30 days -> using elasticsearch index life management), based on timestamps and text matches from different available fields (all stored elasticsearch entries have a timestamp). For instance I need to query all records where the field "Message" contains the text "Important", for the last two weeks from now.
Here are some more examples where I am looking the for the elasticsearch query syntax:
- query all the records based on some filter, for the period 20 days ago - 25 days ago from now
- query all the records based on some filter, for the last 5 days, but only between 14 and 16 o'clock on each day
- query all the records based on some filter, for some period of time, and additionally all other records having the timestamp less than 1 second than the matches and also for the next 2 seconds after the matches, if any
I am using the serilog elasticsearch sink to write logs to elasticsearch. Here is how the index mapping looks like:
{"logstash-2019.05.17":{"mappings":{"properties":{"@timestamp":{"type":"date"},"fields":{"properties":{"Author":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"Ctx":{"properties":{"Function":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"TS":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}}}},"Msg":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"OrderId":{"type":"long"}}},"level":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"message":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}},"messageTemplate":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":256}}}}}}
