Both the queries seem same , but the count is different . WHY?

Elastic Stack Kibana
1

1st query:

   {
  "size": 0,
  "aggs": {
    "2": {
      "terms": {
        "field": "appName",
        "size": 100,
        "order": {
          "1": "desc"
        }
      },
      "aggs": {
        "1": {
          "cardinality": {
            "field": "userId"
          }
        }
      }
    }
  },
  "query": {
    "filtered": {
      "query": {
        "query_string": {
          "query": "eventName :IncomingRequest",
          "analyze_wildcard": true
        }
      },
      "filter": {
        "bool": {
          "must": [
            {
              "query": {
                "match": {
                  "appName": {
                    "query": "opsprodai",
                    "type": "phrase"
                  }
                }
              },
              "$state": {
                "store": "appState"
              }
            },
            {
              "query": {
                "query_string": {
                  "analyze_wildcard": true,
                  "query": "*"
                }
              }
            },
            {
              "range": {
                "telemetryEventTime": {
                  "gte": 1475406373747,
                  "lte": 1477998373747,
                  "format": "epoch_millis"
                }
              }
            }
          ],
          "must_not": []
        }
      }
    }
  },
  "highlight": {
    "pre_tags": [
      "@kibana-highlighted-field@"
    ],
    "post_tags": [
      "@/kibana-highlighted-field@"
    ],
    "fields": {
      "*": {}
    },
    "require_field_match": false,
    "fragment_size": 2147483647
  }
}

2nd Query

{
  "size": 0,
  "aggs": {
    "1": {
      "cardinality": {
        "field": "userId"
      }
    }
  },
  "query": {
    "filtered": {
      "query": {
        "query_string": {
          "query": "eventName :IncomingRequest",
          "analyze_wildcard": true
        }
      },
      "filter": {
        "bool": {
          "must": [
            {
              "query": {
                "match": {
                  "appName": {
                    "query": "opsprodai",
                    "type": "phrase"
                  }
                }
              },
              "$state": {
                "store": "appState"
              }
            },
            {
              "query": {
                "query_string": {
                  "analyze_wildcard": true,
                  "query": "*"
                }
              }
            },
            {
              "range": {
                "telemetryEventTime": {
                  "gte": 1475406373747,
                  "lte": 1477998373747,
                  "format": "epoch_millis"
                }
              }
            }
          ],
          "must_not": []
        }
      }
    }
  },
  "highlight": {
    "pre_tags": [
      "@kibana-highlighted-field@"
    ],
    "post_tags": [
      "@/kibana-highlighted-field@"
    ],
    "fields": {
      "*": {}
    },
    "require_field_match": false,
    "fragment_size": 2147483647
  }
}

I want to count unique users for each application . but the outcome of these two queries for the app "opsprodai" are not equal .:disappointed:

2

How far off are the counts? A cardinality aggregation should be treated as an approximation.

More information on approximate counts: https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-metrics-cardinality-aggregation.html#_counts_are_approximate