Here is the exact lucene queries being used. i'm mostly looking at filebeat right now, since that is what clued me in, but it is also on the metricbeat index.
does NOT work. env.overall:prod AND "app-name"
does work env.overall:prod AND message: "app-name"
I have 3 different filebeat indices (for different ENV) and all of them are exhibiting this same problem.
I am only looking back at 15 minutes and it is timing out btw.
Here is the request payload I believe. (fished out of the kibana that is coming back and then adjusted to not query message specifically).
{
"version": true,
"size": 1000,
"sort": [
{
"@timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}
],
"_source": {
"excludes":
},
"aggs": {
"2": {
"date_histogram": {
"field": "@timestamp",
"interval": "30s",
"time_zone": "UTC",
"min_doc_count": 1
}
}
},
"stored_fields": [
""
],
"script_fields": {},
"docvalue_fields": [
"@timestamp",
"event.created",
"suricata.eve.flow.end",
"suricata.eve.flow.start",
"suricata.eve.timestamp",
"suricata.eve.tls.notafter",
"suricata.eve.tls.notbefore"
],
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "env.overall:prod AND "container-service-proxy"",
"analyze_wildcard": true,
"default_field": ""
}
},
{
"range": {
"@timestamp": {
"gte": 1565115340106,
"lte": 1565116240106,
"format": "epoch_millis"
}
}
}
],
"filter": ,
"should": ,
"must_not":
}
},
"highlight": {
"pre_tags": [
"@kibana-highlighted-field@"
],
"post_tags": [
"@/kibana-highlighted-field@"
],
"fields": {
"*": {}
},
"fragment_size": 2147483647
}
}
Do you think that mapping size being greater than 10MB is okay? (i think not, since I can get the result querying directly...) But just asking.