Hello everybody, i recenlty started using the filter_path parameter (Common options | Elasticsearch Guide [8.16] | Elastic) to reduce output of a msearch performed on some metricbeat indicies: the first search looks for CPU usage and the second for the network traffic regarding a subset of network interfaces.
When there is no traffic (because there are no related interfaces) the second search is completely filtered out when using filter_path, while it is returned when that parameter is not returned.
Here is a sample query:
GET metricbeat-*/_msearch?filter_path=responses.aggregations
{}
{
"query": {
"bool": {
"must": [
{"range": {"@timestamp": {"gte": "now-24h", "lte": "now"}}},
{"term": {"host.name": "sensor_xyz"}}
],
"filter": [
{"term": {"metricset.name": "load"}}
]
}
},
"aggs": {
"by_day": {
"date_histogram": {
"field": "@timestamp",
"fixed_interval": "10m"
},
"aggs": {
"average": {
"avg": {
"field": "system.load.norm.5"
}
}
}
}
},
"size": 0
}
{}
{
"query": {
"bool": {
"must": [
{"range": {"@timestamp": {"gte": "now-24h", "lte": "now"}}},
{"term": {"host.name": "sensor_xyz"}}
],
"filter": [
{"term": {"metricset.name": "network"}},
{"terms": {"system.network.name": []}}
]
}
},
"aggs": {
"ifaces": {
"terms": {
"field": "system.network.name"
},
"aggs": {
"interval": {
"date_histogram": {
"field": "@timestamp",
"fixed_interval": "10m"
},
"aggs": {
"traffic_peak": {"max": {"field": "system.network.in.bytes"}},
"traffic_instant": {
"derivative": {"buckets_path": "traffic_peak","gap_policy": "skip","unit": "1s"}
}
}
}
}
}
},
"size": 0
}
Is this an expected result? I tried to extend the fields allowed by filter_path without success, it seems that the fact that it is an empty search filters it out.
In this case the problem is caused by my own query which will produce 0 results in the second search, however I am concerned that this may occur also when there are no result for a particular query. With msearch this is very bad because the order and the number of responses is important to recognize the results.