I'm trying to figure out how to query elasticsearch where I have a field and basically I want to find where state=Fail.
Now I have my data imported and am able to query it using Kibana just fine and it returns about 800 items for that time range which is what I expect.
My kibana query looks like:
{
"size": 500,
"sort": [
{
"timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}
],
"query": {
"filtered": {
"query": {
"query_string": {
"query": "state:\"Fail\"",
"analyze_wildcard": true
}
},
"filter": {
"bool": {
"must": [
{
"range": {
"timestamp": {
"gte": 1441734330633,
"lte": 1473356730633,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
}
}
},
"highlight": {
"pre_tags": [
"@kibana-highlighted-field@"
],
"post_tags": [
"@/kibana-highlighted-field@"
],
"fields": {
"*": {}
},
"require_field_match": false,
"fragment_size": 2147483647
},
"aggs": {
"2": {
"date_histogram": {
"field": "timestamp",
"interval": "1w",
"time_zone": "America/New_York",
"min_doc_count": 0,
"extended_bounds": {
"min": 1441734330632,
"max": 1473356730633
}
}
}
},
"fields": [
"*",
"_source"
],
"script_fields": {},
"fielddata_fields": [
"timestamp"
]
}
Now using elasticsearch dsl official python library I am trying with:
search = Search(using=client)
response = search.query(Q('term', state='Fail'))
response.execute()
response.count()
They count shows 47430 items, which is not correct, it should be around 800.
I have also tried:
response = search.filter('term', state='Fail')
response.execute()
response.count()
This also seems to report 47430 number again.
Any thoughts as to what I'm doing wrong would greatly be appreciated.