Aggregation fails silently, returns the default response of 10 docs and hits instead of error

Elastic Stack Elasticsearch
1

ES / Kibana v 8.14.1

Same as Aggregation fails silently when ran on huge data, instead of error returns the default response of 10 docs and hits

I send an aggregation query with "size": 0

example query

POST /logstash-*/_search?typed_keys=true
{
  "aggregations": {
    "uri": {
      "terms": {
        "script": {
          "source": "doc['site'].value + (doc['requestInfo.request-uri.keyword'].size()==0 ? '' : doc['requestInfo.request-uri.keyword'].value)"
        },
        "order": {
          "response-time.sum": "desc"
        }
      },
      "aggregations": {
        "response-time": {
          "stats": {
            "field": "httpResponseMilli"
          }
        }
      }
    }
  },
  "query": {
    "bool": {
      "must": [
        {
          "term": {
            "clusterId.keyword": {
              "value": "37.59.251.196"
            }
          }
        },
        {
          "range": {
            "@timestamp": {
              "from": "2024-07-07T00:00:00Z",
              "to":   "2024-07-08T10:00:00Z"
            }
          }
        }
      ]
    }
  },
  "size": 0,
  "track_total_hits": true
}

Reponse to above query (contains hits despite size: 0, no aggregation, no error, and took is way lower than the actual time it took) :

{
  "took" : 232,
  "timed_out" : false,
  "_shards" : {
    "total" : 282,
    "successful" : 282,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 10000,
      "relation" : "gte"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "logstash-000328",
        "_id" : "11879ca91990524c69acbe31989a2bf400ac42c4cc7e0837ff278bb0f1c1d173b36eb52fc34c42d0c42b74ab686222ff",
        "_score" : 1.0,
        "_source" : {
          "serviceAddr" : "94.187.139.212",
          "originDuration" : 61400264,
          "clusterId" : "37.59.251.196",
          ...
        }
      },
      { ... },
      { ... },
      { ... },
      { ... },
      { ... },
      { ... },
      { ... },
      { ... },
      { ... },
    ]
  }
}

Expected response (this is what I get when I reduce the timestamp range) :

{
  "took" : 778,
  "timed_out" : false,
  "_shards" : {
    "total" : 282,
    "successful" : 282,
    "skipped" : 270,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 656437,
      "relation" : "eq"
    },
    "max_score" : null,
    "hits" : [ ]
  },
  "aggregations" : {
    "sterms#uri" : {
      "doc_count_error_upper_bound" : -1,
      "sum_other_doc_count" : 631795,
      "buckets" : [
        {
          "key" : "some.domain.fr/bla/bla",
          "doc_count" : 7322,
          "stats#response-time" : {
            "count" : 7322,
            "min" : 7.205279,
            "max" : 1017050.605677,
            "avg" : 87982.09219328518,
            "sum" : 6.44204879039234E8
          }
        },
        {
          "key" : "other.domain.fr/other/url",
          "doc_count" : 7377,
          "stats#response-time" : {
            "count" : 7377,
            "min" : 0.01558,
            "max" : 125168.774047,
            "avg" : 83105.62423720957,
            "sum" : 6.13070189997895E8
          }
        },
        { ... },
        { ... },
        { ... },
        { ... },
        { ... },
        { ... },
        { ... },
        { ... }
      ]
    }
  }
}
2

Could you run the same query via CURL? I suspect this is a strange behaviour from Kibana after the query terminated abnormally.

3

Indeed, it works fine with curl !

Maybe it's just Kibana doing something stupid if the query takes too long.
Like, "Oh it looks like this is take forever, the user will probably not wait any longer, so let's just return something to keep the user happy" :laughing: