This is the query in question.
{
"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"gte": "now-12h"
}
}
},
"must": [{
"match": {
"type.keyword": "camunda.log"
}
},
{
"match": {
"message": "com.arjuna.ats.arjuna"
}
}]
}
}
}
When I run this in dev tools I get:
{
"took": 54,
"timed_out": false,
"_shards": {
"total": 405,
"successful": 405,
"failed": 0
},
"hits": {
"total": 4421,
"max_score": 10.361226,
"hits": [
{
"_index": "camunda-prod-2018.08.22",
"_type": "camunda.log",
"_id": "AWVi7_XDJWzZ_kaZnjBs",
"_score": 10.361226,
Which is not right. When I run this as a filter query in Discover, I get: 133 hits.
That is correct. Why am I getting two different answers with the same query. I am setting this up as a watch. In the watch I get the 4421 hits also. Am I over looking something?