Hi,
I have an index with has a lot of documents (+100MM). All documents have a field called "code" with has integers as values. I'm trying to retrive documents that have code set to 4732 OR 4756 OR 4758.
If I ran the query like this I got what was expecting.
POST /myindex-*/_search
{
"query": {
"bool": {
"should": [
{ "match": { "event.code": 4732 }},
{ "match": { "event.code": 4756 }},
{ "match": { "event.code": 4728 }}
]
}
}
}
However, if I ran the query like this (note the filter parameter) documents with code 4776 appers.
{
"query": {
"bool": {
"should": [
{ "match": { "event.code": 4732 }},
{ "match": { "event.code": 4756 }},
{ "match": { "event.code": 4728 }}
],
"filter": [
{ "range": { "@timestamp": { "gte": "now-1M", "lt": "now" }}}
]
}
}
}
My question is: Why this happens? My best guest is that all documents that match the criteria (code == 4732,4756,4728) have been retrived then elastic try to deliver documents that best
match the provided criterias. Am I right? If yes, how should I right this query to avoid it.
PS: I noted that very same happens if I set size to a huge value.