Cardinality aggregation always returning one extra count

Elastic Stack Elasticsearch
1

I am new to elasticsearch and wanted to query the number of clients at fixed_interval of 1 hour and hence used the cardinality aggregation along with date_histogram aggregation. The problem is, the cardinality aggregation is always returning one extra count. Below are the mapping, document, query and result:~

The mapping of the index used,

mapping
mapping601×604 21.6 KB

The document that is being queried,

document
document506×593 23.6 KB

The query that I used,

{'query': {'nested': {'path': 'tags',
   'query': {'bool': {'must': [{'match': {'tags.object_id': {'query': 'e21ed0ac-701e-4fe6-b08b-00477f742774'}}},
      {'match': {'tags.content_type': {'query': 'config.device'}}}]}}}},
 '_source': False,
 'size': 0,
 'aggs': {'GroupByTime': {'nested': {'path': 'points',
    'aggs': {'set_range': {'filter': {'range': {'points.time': {'from': 'now-7d/d',
         'to': 'now/d'}}},
      'aggs': {'time': {'date_histogram': {'field': 'points.time',
         'fixed_interval': '1h',
         'format': 'date_time_no_millis',
         'order': {'_key': 'desc'},
         'time_zone': 'Asia/Kolkata'},
        'aggs': {'nest': {'nested': {'path': 'points.fields',
           'aggs': {'wifi_clients': {'cardinality': {'field': 'points.fields.clients.keyword',
              'missing': 0}}}}}}}}}}}}}}

The result obtained,

{'took': 1,
 'timed_out': False,
 '_shards': {'total': 1, 'successful': 1, 'skipped': 0, 'failed': 0},
 'hits': {'total': {'value': 1, 'relation': 'eq'},
  'max_score': None,
  'hits': []},
 'aggregations': {'GroupByTime': {'meta': {},
   'doc_count': 3,
   'set_range': {'meta': {},
    'doc_count': 3,
    'time': {'buckets': [{'key_as_string': '2020-08-02T18:00:00Asia/Kolkata',
       'key': 1596371400000,
       'doc_count': 3,
       'nest': {'doc_count': 3, 'wifi_clients': {'value': 3}}}]}}}}}

I got a result of 3 for wifi_clients value but was expecting 2 (there are only two distinct clients as can be seen in the document image). I have tried with different number of clients but every time got one extra count :confused:.

Note: I was using the elasticsearch-python client so few variables might seem odd like False in place of false (stating to avoid any confusion :slight_smile: )

I would like to know why there is always one extra count being returned :thinking:. Thanks!

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.