Elasticsearch responds with buckets that should be filtered out by the query. What's wrong?
The request is:
curl -kv --max-time 60 -H "Content-Type: application/json" "http://elasticsearch.example.com/jp-2021.0*/_search" -d '
{
"track_total_hits": true,
"query": {
"bool": {
"must": [
{
"query_string": {
"analyze_wildcard": true,
"query": "succeeded:true and code:012345",
"time_zone": "Asia/Tokyo"
}
},
{
"range": {
"requestInTs": {
"format": "strict_date_optional_time",
"gte": "2021-06-30T15:00:00.000Z",
"lte": "2021-07-31T15:00:00.000Z"
}
}
}
],
"must_not": [],
"should": []
}
},
"size": 100,
"aggs": {
"2": {
"aggs": {
"4": {
"terms": {
"field": "code.keyword",
"missing": "__missing__",
"size": 100
},
"aggs": {
"1": {
"cardinality": {
"field": "messageId.keyword"
}
}
}
}
},
"date_histogram": {
"calendar_interval": "1M",
"field": "requestInTs",
"min_doc_count": 1,
"time_zone": "Asia/Tokyo"
}
}
}
}
'
Response is:
{
"took": 14284,
"timed_out": false,
"_shards": {
"total": 16,
"successful": 16,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 10492048,
"relation": "eq"
},
"max_score": 1.181548,
"hits": [
...
]
},
"aggregations": {
"2": {
"buckets": [
{
"key_as_string": "2021-07-01T00:00:00.000+09:00",
"key": 1625065200000,
"doc_count": 10492048,
"4": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "012345",
"doc_count": 9149060,
"1": {
"value": 4583613
}
},
{
"key": "011179",
"doc_count": 850944,
"1": {
"value": 423008
}
},
{
"key": "012138",
"doc_count": 409850,
"1": {
"value": 207397
}
},
{
"key": "099451",
"doc_count": 82194,
"1": {
"value": 41269
}
}
]
}
}
]
}
}
}
code:012345 is in the query. Why does the response include keys other than 012345 ?