Elasticsearch @timestamp affects the background document count(bg_count) of significant_terms aggregation

Hosang_Jeon · January 7, 2015, 3:10am

Hi all.

I'm using Elasticsearch version 1.4.2 to get significant terms from the
data gettered by Logstash.
When I do the job using the request below, it works fine.

# Request (works fine)

curl -XGET http://localhost:9200/logstash-2014.11.11,logstash-2014.11.12,logstash-2014.11.13,logstash-2014.11.14,logstash-2014.11.15,logstash-2014.11.16,logstash-2014.11.17,logstash-2014.11.18,logstash-2014.11.19,logstash-2014.11.20,logstash-2014.11.21,logstash-2014.11.22,logstash-2014.11.23,logstash-2014.11.24,logstash-2014.11.25,logstash-2014.11.26,logstash-2014.11.27,logstash-2014.11.28,logstash-2014.11.29,logstash-2014.11.30,logstash-2014.12.01,logstash-2014.12.02,logstash-2014.12.03,logstash-2014.12.04,logstash-2014.12.05,logstash-2014.12.06,logstash-2014.12.07,logstash-2014.12.08,logstash-2014.12.09,logstash-2014.12.10,logstash-2014.12.11/my_type/_search?pretty
-d '{
"query": {
"filtered": {
"filter": {
"and": [
{
"term": {
"myfield.raw":"Something"
}
}
]
}
}
},
"aggregations": {
"agg_by_remote_ip": {
"significant_terms": {
"field": "remote_ip"
}
}
}
}'

# Results (bg_count == 45203)

...
"aggregations" : {
    "agg_by_remote_ip" : {
      "doc_count" : 102,
      "buckets" : [ {
        "key" : "xx.65.xx.112",
        "doc_count" : 102,
        "score" : 10834.56312205343,
        "bg_count" : 45203
      } ]
    }
}

However, if I add a range filter which use @timestamp like below, then it
reduce the bg_count of the aggregation results.

*# Added range filter *

{
    "range":{
        "@timestamp":{
            "from":"2014-12-10T15:00:00.000+00:00",
            "to":"2014-12-10T18:00:00.000+00:00"
        }
    }
}

# Results (bg_count == 1802)

...
"aggregations" : {
    "agg_by_remote_ip" : {
      "doc_count" : 102,
      "buckets" : [ {
        "key" : "xx.65.xx.112",
        "doc_count" : 102,
        "score" : 10834.56312205343,
        "bg_count" : 1802
      } ]
    }
}

The reduced bg_count value is equal to the result when I use only
"logstash-2014.12.10" index.
So, It seems that a range filter which uses @timestamp field ignores all
indices that is not int the range.

Is there anyway to use @timestamp while the bg_count is not changed in the
significant_terms aggregation?

Thanks in advance.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/0dd756a9-cd40-45e2-be7b-79db9237ef96%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.