Hello,
I'm running elasticsearch 6.5.4 with only one node and I've configured slow log to log all queries. I've found some incongruencies between the query I'm running and the one that is logged in slow log. Examples:
GET /network-*/_search
{
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-1d/d",
"lt": "now/d"
}
}
},
{
"term": {
"src_addr": "1.1.1.1"
}
}
]
}
}
}
Result:
{
"took" : 2,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : 5,
"max_score" : 0.0,
"hits" : [ ]
}
}
Logged query:
{"size":0,"query":{"match_none":{"boost":1.0}}}
Query:
GET /network-*/_search
{
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-300m",
"lt": "now"
}
}
},
{
"term": {
"src_addr": "1.1.1.1"
}
}
]
}
}
}
Result:
{
"took" : 3,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : 5,
"max_score" : 0.0,
"hits" : [ ]
}
}
Logged Query:
{"size":0,"query":{"bool":{"filter":[{"range":{"@timestamp":{"from":"now-300m","to":"now","include_lower":true,"include_upper":false,"boost":1.0}}},{"term":{"src_addr":{"value":"1.1.1.1","boost":1.0}}}],"adjust_pure_negative":true,"boost":1.0}}}
How is that possible? I'm doing something wrong?