所以我希望从某个时间开始获取所有事件,例如从"2017-03-02T21:56:53.033Z"开始。
我创建了一个只复制runtime_timestamp字段的@timestamp字段,因为我正在将这些数据解析为C#,并且@符号在那里不会很好。
这是我的Logstash过滤器,它可以工作。我知道这是事实。
filter {
mutate {
add_field => ["runtime_timestamp", "%{@timestamp}"]
}
}
这是我现在所拥有的,但不起作用。
{
"query": {
"range": {
"runtime_timestamp":
"2017-03-02T21:56:53.033Z"
},
"_source": {
"includes": [
"runtime_timestamp",
"id_orig_p",
"id_orig_p",
"id_orig_h",
"conn_state",
"id_resp_h",
"id_resp_p",
"service",
"proto",
"tags"
]
},
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
现在,我从此查询中收到以下错误。
{
"error" : {
"root_cause" : [
{
"type" : "parsing_exception",
"reason" : "[range] query does not support [runtime_timestamp]",
"line" : 5,
"col" : 9
}
],
"type" : "parsing_exception",
"reason" : "[range] query does not support [runtime_timestamp]",
"line" : 5,
"col" : 9
},
"status" : 400
}
我还使用timestamp代替runtime_timestamp尝试了此查询,但我仍然遇到同样的错误。
答案 0 :(得分:1)
您的范围查询格式错误。试试这个(gte意味着大于或等于):
{
"query": {
"range" : {
"runtime_timestamp" : {
"gte": "2017-03-02T21:56:53.033Z",
}
}
}
}