16

For reference here is the code. I am trying to make a hubot plugin that logs to elasticsearch and then uses hubot commands to search those logs.

https://gist.github.com/4050748

I am trying to retrieve records that match two queries.

{ 
  query: { 
        match: {
          user: "SomeUsername" 
        }, 
        range: {
          date: {
            from: (Date.now() - 3600) 
          }
        }
  },
  size: 50 
}

I was expecting:

  • Up to 50 records
  • records that had the given user
  • records in the last hour

I got:

  • up to 10 records
  • records that had the given user
  • from any time

How do I get all the records with some username in the last hour? Do I need to use match_all with filters? Is what I am attempting unsupported?

In SQL it would be something like:

Select (*) from messages where user_name = ? and time > ?
EnabrenTane
  • 7,428
  • 2
  • 26
  • 44

2 Answers2

21

For anyone who stumbles on this question and wonders what it looks like to combine a match and range query in ElasticSearch, this example would look like

curl 'localhost:9200/<index>/_search?pretty=true' -d '{
  "query" : {
    "bool": {
      "must": [
        {
          "match": {
            "user": "SomeUsername"
          }
        },
        {
          "range" : {
            "date": {
              "gt": "now-1h"
            }
          }
        }
      ]
    }
  }
}'
Cody A. Ray
  • 5,869
  • 1
  • 37
  • 31
17

You need to use the bool query to combine different queries together. You can then choose whether each single query must match, should match (optional), or must not match.

javanna
  • 59,145
  • 14
  • 144
  • 125