Hi, I have the same query and with the same filter.
But the dev tool and discover give me different total hit counts ..I wonder what is the reason to that? and which is the accurate one
Maybe because of the timestamp values which are not identical?
Or you are not in the GMT timezone so again the timestamp is different?
Hi, @dadoonet,
Thanks for the reply.
I think my Discover has the corret timeStamp to my local, is it possible to sync the dev tool timestamp to the Discover one so that it can be reflected in the time-zone
Hi @JasonREC
The time range is not the same pretty clear....
Your discover and query clearly show different time ranges...
If you put in exactly the same time range to the millisecond they should be the same, I have validated many times.
Thanks @stephenb
but what do you mean by put in exactly the same time range to the millisecond?
Currently, I am not sure if I want the hit number for the entire September, which one I should use...
I eventually use this date range in order to get all the document falls in the September. But there is still a bit different from the Kibana Discover
"range": {
"date_range": {
"field": "@timestamp",
"format": "yyyy-MM-dd HH:mm:ss.SSS",
"ranges": [
{
"from": "2023-09-01 00:00:00.000",
"to": "2023-09-30 23:59:59.999"
}
]
}
Please don't post images of text as they are hard to read, may not display correctly for everyone, and are not searchable.
Instead, paste the text and format it with </> icon or pairs of triple backticks (```), and check the preview window to make sure it's properly formatted before posting it. This makes it more likely that your question will receive a useful answer.
You can do this (Elastic 8.10.2). Click on Inspect and then choose the "Request" tab. You will see the exact query which is sent to Elasticsearch.
Click on Open in Console. And it should give you the same results.
Hi @JasonREC
My Sample, This is what I mean...
Discover
KQL:
kubernetes.labels.app : "productcatalogservice"
Date Ranges
Oct 2, 2023 @ 00:00:00.000 <!-- Exact Date
Oct 3, 2023 @ 00:00:00.000 <!-- Exact Date
Inspect -> Query
"query": {
"bool": {
"must": [],
"filter": [
{
"bool": {
"should": [
{
"term": {
"kubernetes.labels.app": {
"value": "productcatalogservice"
}
}
}
],
"minimum_should_match": 1
}
},
{
"range": {
"@timestamp": {
"format": "strict_date_optional_time",
"gte": "2023-10-02T07:00:00.000Z", <!-- Exact Date
"lte": "2023-10-03T07:00:00.000Z" <!-- Exact Date
}
}
}
],
"should": [],
"must_not": []
}
},
Then I run in Dev Tools
GET logs-*/_search
{
"size": 0,
"track_total_hits": true,
"query": {
"bool": {
"must": [],
"filter": [
{
"bool": {
"should": [
{
"term": {
"kubernetes.labels.app": {
"value": "productcatalogservice"
}
}
}
],
"minimum_should_match": 1
}
},
{
"range": {
"@timestamp": {
"format": "strict_date_optional_time",
"gte": "2023-10-02T07:00:00.000Z", <!-- Exact Date
"lte": "2023-10-03T07:00:00.000Z" <!-- Exact Date
}
}
}
],
"should": [],
"must_not": []
}
}
}
Result
{
"took": 90,
"timed_out": false,
"_shards": {
"total": 67,
"successful": 67,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 4991548, <!-- Exact Same Answer
"relation": "eq"
},
"max_score": null,
"hits": []
}
}
Exactly the same
1 Like
Hi @stephenb
Thanks for the demo! very helpful!
I now found out the date range that I specify in the Discover console Sep 1 00:00:00 to Sep 30 23:59:59:999 is completely different from the query inside inspect request
Inside the inspect query, date range are
"gte": "2023-08-31T16:00:00.000Z",
"lte": "2023-09-30T16:00:00.000Z"
I am not sure why this happened but I think that is the reason that you mentioned which really cause the total hits number has different result.
In Discover:
In inspect request query:
1 Like
Hi @dadoonet
I am sorry for the inconvenience, I will now take advantage of the </> icon !
And, thanks for the guide of taking me to the insepct reuqest tab , I now found out the reason which cause the total hit has different result from Discover and dev tool
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.