"hits": {
"hits": [],
"total": 24,
"max_score": 0
},
"took": 2,
"timed_out": false,
"offenders": [],
"aggregations": {
"source_ip": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": []Hey Jason,
can we focus only on the query for now, please? Please include the full request and the full response. I do think the culprit is here. Is it possible that source_ip is not part of the documents you found. Please change or remove size:0 to check the documents being returned. And include that response here.
--Alex
with request I meant the search request, not the watch. Sorry for being unclear.
Hopefully I have understood what you want correctly
No, I would like to see the output of the exact query used in the watch, but with size:0 removed.
Sorry for all the back and foth, but thats the only way of reducing uncertainty.
@spincscale - I have updated the above post for you and anonymized the returned data
There are so many snippets, I do not really know which one you updated, can you just please append it here? I could not find a search response above, that came from the watch, but I might be just blind.
Is this what you want? :
https://www.elastic.co/guide/en/elasticsearch/reference/current/search-request-body.html
I'm lost to what you want, apologies. 
Hey,
I am not interested in anything the watch is doing or returning. I am only interested in the query and its response (without the query being inside a watch).
--Alex
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.