Different number of hits between DSL Query and KQL

Elastic Stack Elasticsearch
1

Hello everyone,

I was curious about working with DSL queries, so I made some tests and I found something strange.

I have a winlogbeat-security index which contains windows security events and I am searching logs with the following term "Échec de l’audit" in a specific range.

However, when I am using DSL query I didn't have the same result as the KQL.

Look at the first picture :

image
image1612×217 21.6 KB

Here I am using KQL with Kibana interface and I got 1553 hits.

On the second picture we can see the same query but I have only 119 hits.

image
image1553×255 16.6 KB

If you have any ideas I will be happy to read you :slight_smile:

Thank you !

2

Hello everyone,

I fixed this problem by adding the time zone parameter like this :

GET winlogbeat-security/_search
{
  "query": {
    "bool": {
      "filter": [
        {"term": {"winlog.keywords": "Échec de l’audit"}},
        {"range": {"@timestamp": {"time_zone": "+02:00","gte": "2021-06-25T11:29:00.000", "lte": "2021-06-25T11:30:00.000"}}}
      ]
    }
  }
}

Now I have every hits about my query :

{
  "took" : 11,
  "timed_out" : false,
  "_shards" : {
    "total" : 53,
    "successful" : 53,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" :1553,
      "relation" : "eq"
    },

Thanks for reading :slight_smile:

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.