Hello there,
I’m new to using open-distro alerting with my AWS Elasticsearch cluster. I’m trying to set up a query to return how many 200 status code values for a certain timeframe. Below is the query I am using, when using the filter in the query I get zero hits. If I remove the timestamp filter I get hits from the query.
I there a different string or query to use for the timestamp when using open-distro?
{
"size": 0,
"query": {
"match": {
"sc_status": {
"query": "200",
"operator": "OR",
"prefix_length": 0,
"max_expansions": 50,
"fuzzy_transpositions": true,
"lenient": false,
"zero_terms_query": "NONE",
"auto_generate_synonyms_phrase_query": true,
"boost": 1
}
},
"filter": {
"range": {"@timestamp":{"gte": "<{now-5m}>"}}
}}}