_msearch query seems ignore filter

Elastic Stack Elasticsearch
1

Hello.

Elasticsearch version: 5.1.1

JVM version:
java version "1.8.0_60"
Java(TM) SE Runtime Environment (build 1.8.0_60-b27)
Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)

OS version:
Ubuntu 14.04 x64

Description of the problem including expected versus actual behavior:
Send query to get some metrics (gathered by metricbeats), filter it and group by several conditions

Steps to reproduce:
Enable metricbeat system module
Import metricsets template for ELS
send query

{
  "search_type":"query_then_fetch",
  "ignore_unavailable":true,
  "index":[
    "metricbeat-2017.04.02",
    "metricbeat-2017.04.03"
  ]
}{
  "size":0,
  "query":{
    "bool":{
      "filter":[
        {
          "range":{
            "@timestamp":{
              "gte":"1491166800000",
              "lte":"1491253199999",
              "format":"epoch_millis"
            }
          }
        },
        {
          "query_string":{
            "analyze_wildcard":true,
            "query":"role:db"
          }
        }
      ]
    }
  },
  "aggs":{
    "5":{
      "terms":{
        "field":"role_host",
        "size":10,
        "order":{
          "_term":"asc"
        },
        "min_doc_count":0
      },
      "aggs":{
        "2":{
          "date_histogram":{
            "interval":"1m",
            "field":"@timestamp",
            "min_doc_count":0,
            "extended_bounds":{
              "min":"1491166800000",
              "max":"1491253199999"
            },
            "format":"epoch_millis"
          },
          "aggs":{
            "1":{
              "avg":{
                "field":"system.load.1"
              }
            }
          }
        }
      }
    }
  }
}

Provide logs (if relevant):

{
  "responses":[
    {
      "took":100,
      "timed_out":false,
      "_shards":{
        "total":18,
        "successful":18,
        "failed":0
      },
      "hits":{
        "total":994883,
        "max_score":0.0,
        "hits":[

        ]
      },
      "aggregations":{
        "5":{
          "doc_count_error_upper_bound":0,
          "sum_other_doc_count":0,
          "buckets":[
            {
              "key":"lb1.lb.ap.prd",
              "doc_count":0,
              "2":{
                "buckets":[
                  {
                    "key_as_string":"1491166800000",
                    "key":1491166800000,
                    "doc_count":0,
                    "1":{
                      "value":null
                    }
                  },
                  {
                    "key_as_string":"1491166860000",
                    "key":1491166860000,
                    "doc_count":0,
                    "1":{
                      "value":null
                    }
                  },
                  {
                    "key_as_string":"1491166920000",
                    "key":1491166920000,
                    "doc_count":0,
                    "1":{
                      "value":null
                    }
                  },
                  {
                    "key_as_string":"1491166980000",
                    "key":1491166980000,
                    "doc_count":0,
                    "1":{
                      "value":null
                    }
                  },
                  "status":200
                }
              ]
            }

Responce is provided partly because of huge number of rows, but it's enough to reproduce issue: key:lb1.lb.ap.prd - this host has no role:db, it's role is role:lb. Issue is, that filtering is not working, I'm getting aggregation by all role_host values, but should get only where role:db

Screen Shot 2017-04-03 at 19.11.08.png2534×1078 128 KB

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.