Kibana filter for equality on a field returns two documents with different field values

Elastic Stack Kibana
1

While using Kibana Discover mode, we found that for a given index. For a specific time range I found a case where even when filtering on a field "time_stamp" is equal to a specific value (1545287341), it returned a document with the exact value and another which was close.

How is this feasible? The only document returned should have the specified value? What is the possible cause for this wrong reply? Would appreciate help as this is very beguiling.

I am capturing the query sent by Kibana here.

{
	"version": true,
	"size": 500,
	"sort": [{
		"@timestamp": {
			"order": "desc",
			"unmapped_type": "boolean"
		}
	}],
	"_source": {
		"excludes": []
	},
	"aggs": {
		"2": {
			"date_histogram": {
				"field": "@timestamp",
				"interval": "3h",
				"time_zone": "Etc/UTC",
				"min_doc_count": 1
			}
		}
	},
	"stored_fields": ["*"],
	"script_fields": {},
	"docvalue_fields": ["@timestamp", "day"],
	"query": {
		"bool": {
			"must": [{
				"match_all": {}
			}, {
				"match_phrase": {
					"dev_id.keyword": {
						"query": "22170821152"
					}
				}
			}, {
				"match_phrase": {
					"time_stamp": {
						"query": 1545287341
					}
				}
			}, {
				"range": {
					"@timestamp": {
						"gte": 1544659200000,
						"lte": 1545350399999,
						"format": "epoch_millis"
					}
				}
			}],
			"filter": [],
			"should": [],
			"must_not": []
		}
	},
	"highlight": {
		"pre_tags": ["@kibana-highlighted-field@"],
		"post_tags": ["@/kibana-highlighted-field@"],
		"fields": {
			"*": {}
		},
		"fragment_size": 2147483647
	}
}

The response I am putting here, redacted as there are many other fields that are not required:

{
	"responses": [{
		"took": 2,
		"timed_out": false,
		"_shards": {
			"total": 10,
			"successful": 10,
			"skipped": 0,
			"failed": 0
		},
		"hits": {
			"total": 2,
			"max_score": null,
			"hits": [{
				"_index": "pkt-2018-12",
				"_type": "doc",
				"_id": "CzvHahOE1jrv+tFWGorFH4gV6cs=",
				"_version": 1,
				"_score": null,
				"_source": {
					"time_stamp": 1.545287341E9,
					"@timestamp": "2018-12-20T06:29:01.000Z",
				},
				"fields": {
					"@timestamp": ["2018-12-20T06:29:01.000Z"]
				},
				"highlight": {
					"dev_id.keyword": ["@kibana-highlighted-field@22170821152@/kibana-highlighted-field@"]
				},
				"sort": [1545287341000]
			}, {
				"_index": "pkt-2018-12",
				"_type": "doc",
				"_id": "PbeMWFMNpvwrjnZpBJtexDwfE9k=",
				"_version": 1,
				"_score": null,
				"_source": {
					"time_stamp": 1.545287281E9,
					"@timestamp": "2018-12-20T06:28:01.000
				},
				"fields": {
					"@timestamp": ["2018-12-20T06:28:01.000Z"]
				},
				"highlight": {
					"dev_id.keyword": ["@kibana-highlighted-field@22170821152@/kibana-highlighted-field@"]
				},
				"sort": [1545287281000]
			}]
		},
		"aggregations": {
			"2": {
				"buckets": [{
					"key_as_string": "2018-12-20T06:00:00.000Z",
					"key": 1545285600000,
					"doc_count": 2
				}]
			}
		},
		"status": 200
	}]
}
2

What is the mapping for the time_stamp field?

3

Sorry for this delayed reponse @spalger.

The mapping/type is long for time_stamp.

How exactly would mapping impact the result?

4

Havent heard back, can you please clarify?

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.