Converting from SQL to elasticsearch query


April 2019


441 time


Elasticsearch noob and need help with a query. I have the following SQL query that I need to convert to a query to Elasticsearch

FROM table 
WHERE Message LIKE '%Communication  has failed.%'
  AND [Date] > CONVERT( CHAR(8), GetDate(), 112) + ' 07:40:00'
  AND [Date] < CONVERT( CHAR(8), GetDate(), 112) + ' 22:15:00'

I want to run the query against elasticsearch using curl and need help composing the query.

[Date] is equal to @timestamp in Elasticsearch document. Would also be nice if the elastic query syntax had and equivalent of getdate() to the current data.

1 answers


The easiest way to get a count of all results is using the hits field in the result set. If you want to to that, your query would be:

POST /my_index/_search
  "query": {
    "bool": {
      "must": [
          "match": {
            "message": "*Communication  has failed*"
          "range": {
            "my_date_field": {
              "gte": "01/01/2018",
              "lt": "01/02/2018",
              "format": "dd/MM/yyyy"
  "size": 0

Notice I am doing a range query on the date and a match query on the message. I also set a size to zero b/c I only want to get back the hits values. The result would look like this:

  "took": 0,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "skipped": 0,
    "failed": 0
  "hits": {
    "total": 346,
    "max_score": 0,
    "hits": []

You could also use an aggregate query, but in this case you would want to aggregate on one field and the result of the aggregate would be the same as the hits field value. Think of an aggregate like the GROUP BY function in SQL. If you were only to GROUP BY one group, then your group would be equal to the value of COUNT(*). If you are interested in learning more about aggregates the documation is here: