The following two queries return a different number of results and I cannot figure out why. The only difference between these two queries is that one is wrapped in "constant_score": { "filter":{ ...} }.
Note that the aim of this query is to just get data (the "some_field" data) within a 1h time interval of a certain host which then will be aggregated into buckets of 1s. I do not care about scores in this case.
First query with the wrapper:
{
"query": {
"constant_score": {
"filter": {
"bool": {
"should": [
{
"match": {
"hostname": "some_host"
}
}
],
"must": [
{
"range": {
"@timestamp": {
"gte": "2019-09-21T13:12:00",
"lt": "2019-09-21T14:12:00"
}
}
}
],
"filter": [
{
"range": {
"some_field": {
"gte": 200,
"lt": 500
}
}
}
]
}
}
}
},
"size": 0,
"aggs": {
"date_histogram": {
"date_histogram": {
"field": "@timestamp",
"interval": "second"
}
}
}
}
Second query without the wrapper which yields more results:
{
"query": {
"bool": {
"should": [
{
"match": {
"hostname": "some_host"
}
}
],
"must": [
{
"range": {
"@timestamp": {
"gte": "2019-09-21T13:12:00",
"lt": "2019-09-21T14:12:00"
}
}
}
],
"filter": [
{
"range": {
"some_field": {
"gte": 200,
"lt": 500
}
}
}
]
}
},
"size": 0,
"aggs": {
"date_histogram": {
"date_histogram": {
"field": "@timestamp",
"interval": "second"
}
}
}
}
Furthermore, since these queries were already implemented, I tried to clean the query up and got
{
"query": {
"bool": {
"filter": [
{
"match": {
"hostname": "some_host"
}
},
{
"range": {
"@timestamp": {
"gte": "2019-09-21T13:12:00",
"lt": "2019-09-21T14:12:00"
}
}
},
{
"range": {
"some_field": {
"gte": 200,
"lt": 500
}
}
}
]
}
},
"size": 0,
"aggs": {
"date_histogram": {
"date_histogram": {
"field": "@timestamp",
"interval": "second"
}
}
}
}
The third query yields the same number of hits as the query with the constant_score clause.