Why is my timestamp range query returning nothing

Question

I'm using elasticsearch open distro in order to create an alert system. But I have one issue with my elasticsearch query:

"search": {
                "indices": ["test_alert"],
                "query": {
                    "size": 3,
                    "aggregations": {},
                    "query": {
                        "bool": {
                            "filter": {
                                "range": {
                                    "@timestamp": {
                                        "gte": "now-1h",
                                        "lte": "now",
                                        "format": "epoch_second"
                                    }
                                }
                            }
                        }
                    }
                }
            }

This is the query I use in my open-distro monitor. The problem is the now-1h doesn't seem to work, I always get an empty result. I tried with raw timestamps (in order to match and get results) and it worked well. I don't understand why the range is not working at all when I'm using now-1h.

Here is my mapping:

properties": {
    "timestamp": {
        "type": "date",
        "format": "epoch_second"
    },
    "value": {
        "type": "long"
    }
}

Thanks for your help !

Answer 1

Your mapping says timestamp but your query has @timestamp. The two need to be consistently named. BTW there's nothing special about @timestamp -- it's just a convention. You can do range.gte now-1h on any datetime fields.

Correct mapping:

PUT test_alert
{
  "mappings": {
    "properties": {
      "@timestamp": {
        "type": "date",
        "format": "epoch_second"
      },
      "value": {
        "type": "long"
      }
    }
  }
}