We are using Kibana v6.8.1 to search log messages
When we try to filter messages using the "Filter for value" icon like so:
we notice Kibana generates search query with a match_phrase clause in Query Context, like so:
"query":{"bool":{"must":[{"match_phrase":{"fields.cloud_service":{"query":"query-service"}}},{"range":{"@timestamp":{"gte":1582892416657,"lte":1582893316657,"format":"epoch_millis"}}}],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}
The query clause triggers scoring and from search profiling we see that scoring is taking a lot of time
Instead of using Kibana UI filters, if we typed the lucene query fields.cloud_service:query-service in the Kibana text field, it is orders of magnitude faster. In this case Kibana generates a match_phrase in Filter Context. Since this is running in Filter Context, there is no scoring involved and the search are much faster.
"query":{"bool":{"must":[{"range":{"@timestamp":{"gte":1582893170986,"lte":1582894070986,"format":"epoch_millis"}}}],"filter":[{"bool":{"should":[{"match_phrase":{"fields.cloud_service":"query-service"}}],"minimum_should_match":1}}],"should":[],"must_not":[]}}
Is there a reason why Kibana UI filters do not use Filter Context by default? Is there an option to force Kibana UI filters to use Filter Context instead of Query Context?