Impossible query response?

iamthealex1 · November 17, 2022, 6:13pm

  POST /metricbeat-2022.11.17/_search
{
  "size": 2,
  "_source": ["system.process.cpu.total.pct"],
  "query": {
    "bool": {
      "must": [
        {"match": { "event.dataset": "system.process" }},
        {"range": { "@timestamp": { "gte": "now-30m"   }  } },
        {"match": { "process.name": "gnome-shell"  } }
      ]
    }
  }, 
  "aggs": {
    "max_cpu": { "max": { "field": "system.process.cpu.total.pct" } }
  }
}

Returned a response like this:


{
  "took" : 896,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 180,
      "relation" : "eq"
    },
    "max_score" : 4.0646133,
    "hits" : [
      {
        "_index" : "metricbeat-2022.11.17",
        "_id" : "GtKphoQBTwBiL9RwTxkO",
        "_score" : 4.0646133,
        "_source" : {
          "system" : {
            "process" : {
              "cpu" : {
                "total" : {
                  "pct" : 0.1149
                }
              }
            }
          }
        }
      },
      {
        "_index" : "metricbeat-2022.11.17",
        "_id" : "LNKphoQBTwBiL9RwWhnI",
        "_score" : 4.0646133,
        "_source" : {
          "system" : {
            "process" : {
              "cpu" : {
                "total" : {
                  "pct" : 0.1279
                }
              }
            }
          }
        }
      }
    ]
  },
  "aggregations" : {
    "max_cpu" : {
      "value" : 0.0
    }
  }
}

How is it possible that at least one returned document has a positive value for system.process.cpu.total.pct, but the max aggregation returns zero?

iamthealex1 · November 17, 2022, 6:16pm

FWIW, the type of that field is long:

GET metricbeat-2022.11.17/_mapping/field/system.process.cpu.total.pct


{
  "metricbeat-2022.11.17" : {
    "mappings" : {
      "system.process.cpu.total.pct" : {
        "full_name" : "system.process.cpu.total.pct",
        "mapping" : {
          "pct" : {
            "type" : "long"
          }
        }
      }
    }
  }
}

iamthealex1 · November 17, 2022, 6:56pm

I'm not sure why the mapping was "long". To me it seems it should've been double.

iamthealex1 · November 17, 2022, 7:50pm

I was trying to have metricbeat write to a file and to have filebeat read the metricbeat files.
With that approach, I missed loading the metricbeat mappings.
I removed my data, ran metricbeat briefly with the elasticsearch output enbabled to install the mappings.
After verifying that the correct mappings were in place in Elasticsearch, I replaced the metricbeat output to go to a file and started filebeat.

All looks good now.

phew

system · December 15, 2022, 7:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch Query to fetch specific fields from the metricbeat index Elasticsearch	1	409	November 5, 2018
Aggregation returning contradictory results Elasticsearch	3	348	November 3, 2020
DSL Query For CPU Load (MetricBeat Data) Elasticsearch	9	1792	February 17, 2017
_msearch query seems ignore filter Elasticsearch	1	422	May 2, 2017
Need help with search query Elasticsearch	5	453	March 9, 2023

Impossible query response?

Related topics