elastic query to SQL

Question

The following query is run against metricbeat. I am trying to understand what exactly the query is returning.

GET metricbeat-*/_search 
{ 
  "query": { 
    "bool": { 
      "filter": [ 
        { 
          "range": { 
            "@timestamp": { 
              "gte": "now-5m" 
            } 
          } 
        }, 
        { 
          "bool": { 
            "should": [ 
              { 
                "match_phrase": { 
                  "host.name": "noether" 
                } 
              }, 
              { 
                "match_phrase": { 
                  "event.dataset": "system.cpu" 
                } 
              } 
            ] 
          } 
        } 
      ] 
    } 
  } 
}

Is this query equivalent to this?

select * from table where range > now-5m and (host.name = 'noether' OR event.dataset = 'system.cpu')

Also check out the SQL Translate API (elastic.co/guide/en/elasticsearch/reference/current/…) if you want to go the other way around :) — apt-get_install_skill
– apt-get_install_skill, Commented Sep 4, 2019 at 16:22

apt-get_install_skill · Accepted Answer · 2019-09-04 14:08:22Z

2

Yes, your assumption is correct besides that it is actually where range >= now-5m since you use the gte operator in your range filter.

You could avoid using the match_phrase query by alternatively using a match query against the keyword-fields of host.name and event.dataset

answered Sep 4, 2019 at 14:08

apt-get_install_skill

2,93814 silver badges29 bronze badges

Sign up to request clarification or add additional context in comments.

Collectives™ on Stack Overflow

elastic query to SQL

1 Answer 1

Comments

Hot Network Questions

Collectives™ on Stack Overflow

1 Answer 1

Comments

Related