I am trying to query the ELK using the following query:
query = {
"query": {
"match" : { "event.action" : "ssh_login" },
"range": {
"timestamp": {
"gte": "now-2d/d",
"lt": "now/d"
}
}
}
}
But i get the following error:
RequestError: RequestError(400, 'parsing_exception', '[match] malformed query, expected [END_OBJECT] but found [FIELD_NAME]')
I want all the samples where "event.action" is equal to "ssh_login" and i also want to get a specific time window. What is the correct format for the above query? Also i am having problem with specifying the timestamp. The format of the timestamp is [2021-07-14T05:24:07.000Z], how can i use specific timestamps for querying?
Thank you !
First of all, it's better to provide more context at least including the following:
That said, I'll make some assumptions and move on.
You have to use bool query to have multiple queries/conditions to find relevant documents.
from elasticsearch import Elasticsearch
es = Elasticsearch()
body = {
'query': {
'bool': {
'must': [
{'term': {'event.action': {'value': 'ssh_login'}}},
{'range': {'timestamp': {'gte': '2020-01-01T01:01:01.000Z'}}}
]
}
}
}
es.search(index="YOUR INDEX NAME", body=body)
This depends on your mapping. In my example, I used the following mapping.
{
'test': {
'mappings': {
'properties': {
'event': {
'properties': {
'action': {
'type': 'keyword'
}
}
},
'timestamp': {
'type': 'date'
}
}
}
}
}
If you specified custom dateformat that is not compatible with the format you are trying to query with, it might raise an error.