Multi match bool query returning 0 hits on large number of documents

Finley · December 23, 2020, 6:58pm

Hi,

I have 2 elk cluster in 7.10.

A -> 70 documents per hour
B -> 100 - 300 documents per second (825k on 1 hour)

When I am doing a KQL search in kibana (discover) with just typing "POST", on the cluster A, it's returning all documents in the last 15 min any field that contains the value "POST".

When I am doing the same search on the cluster B, 0 hits are returned.

Kibana is converting the KQL Query into an Elastic Query DSL.

With an inspect, I can see that it's converting like this :

"query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "multi_match": {
            "type": "best_fields",
            "query": "POST",
            "lenient": true
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2020-12-23T18:35:04.481Z",
              "lte": "2020-12-23T18:50:04.481Z",
              "format": "strict_date_optional_time"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }

I guess that it's not working because I have a large number of documents on the cluster B. I didn't find in the documentation why it's returning 0 hits.

Also, with a simple_query_string, it works on both cluster (A and B).

{
    "query": {
        "simple_query_string" : {
            "query": "POST",
            "fields": ["*"]
        }
    }
}

Which setting should I increase to search on large number of documents with multi_match ?

Thank you

Finley · December 25, 2020, 8:16pm

Small Up

Christian_Dahlqvist · December 28, 2020, 10:46am

Have you compared the mappings for the field(s) that contain POST between the two clusters? Is it possible that they are mapped differently?

system · January 25, 2021, 10:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.