Different number of hits between DSL Query and KQL

baddack · June 25, 2021, 1:30pm

Hello everyone,

I was curious about working with DSL queries, so I made some tests and I found something strange.

I have a winlogbeat-security index which contains windows security events and I am searching logs with the following term "Échec de l’audit" in a specific range.

However, when I am using DSL query I didn't have the same result as the KQL.

Look at the first picture :

Here I am using KQL with Kibana interface and I got 1553 hits.

On the second picture we can see the same query but I have only 119 hits.

If you have any ideas I will be happy to read you

Thank you !

baddack · June 28, 2021, 11:11am

Hello everyone,

I fixed this problem by adding the time zone parameter like this :

GET winlogbeat-security/_search
{
  "query": {
    "bool": {
      "filter": [
        {"term": {"winlog.keywords": "Échec de l’audit"}},
        {"range": {"@timestamp": {"time_zone": "+02:00","gte": "2021-06-25T11:29:00.000", "lte": "2021-06-25T11:30:00.000"}}}
      ]
    }
  }
}

Now I have every hits about my query :

{
  "took" : 11,
  "timed_out" : false,
  "_shards" : {
    "total" : 53,
    "successful" : 53,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" :1553,
      "relation" : "eq"
    },

Thanks for reading

Topic		Replies	Views
Different number of documents when querying Kibana vs Elasticsearch Elasticsearch	2	430	April 16, 2018
DSL Query does date math differently than KQL? Elasticsearch	2	421	July 5, 2023
KQL-related performance issue Kibana kql-kibana-query-language	11	2385	November 14, 2019
Timezone causing problem when doing a search query to an index! Logstash	7	3732	July 6, 2017
Search docs not return 0 hits Elasticsearch	10	258	May 13, 2024

Different number of hits between DSL Query and KQL

Related topics