Aggs not working on the current date

Hey all
Im trying to aggregate the message field when im trying the next query in DEV TOOLS its working fine:

GET filebeat-6.3.2-2018.10.09/_search
{
    "aggs" : {
        "message.keyword" : {
            "terms" : { "field" : "message.keyword" }
        }
    }
}

The result is:

   aggregations": {
        "message.keyword": {
          "doc_count_error_upper_bound": 141454,
          "sum_other_doc_count": 21714432,
          "buckets": [
            {
              "key": "",
              "doc_count": 2175665
            }

But when im changing the date to the current one its not returning any results for the aggregation:

GET filebeat-6.3.2-2018.10.10/_search
{
    "aggs" : {
        "message.keyword" : {
            "terms" : { "field" : "message.keyword" }
        }
    }
}

The result is:

    "aggregations": {
    "message.keyword": {
      "doc_count_error_upper_bound": 0,
      "sum_other_doc_count": 0,
      "buckets": []
    }
  }

I checked everything what could think about and all looks ok moreover i have events if i search discover for today filebeat index.

Please help as im trying to solve it moreover than 4 days.

Thanks in advance

a couple of things

• have you checked the index names? Are they the same?
• do you have sufficient permissions in case you are using security?
• have you left out the query and checked if there are any documents in it?

--Alex

Issue was fixed by add to the filebeat template mapping for message.keyword

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.