Hi,
I have 2 elk cluster in 7.10.
A -> 70 documents per hour
B -> 100 - 300 documents per second (825k on 1 hour)
When I am doing a KQL search in kibana (discover) with just typing "POST", on the cluster A, it's returning all documents in the last 15 min any field that contains the value "POST".
When I am doing the same search on the cluster B, 0 hits are returned.
Kibana is converting the KQL Query into an Elastic Query DSL.
With an inspect, I can see that it's converting like this :
"query": {
"bool": {
"must": [],
"filter": [
{
"multi_match": {
"type": "best_fields",
"query": "POST",
"lenient": true
}
},
{
"range": {
"@timestamp": {
"gte": "2020-12-23T18:35:04.481Z",
"lte": "2020-12-23T18:50:04.481Z",
"format": "strict_date_optional_time"
}
}
}
],
"should": [],
"must_not": []
}
}
I guess that it's not working because I have a large number of documents on the cluster B. I didn't find in the documentation why it's returning 0 hits.
Also, with a simple_query_string, it works on both cluster (A and B).
{
"query": {
"simple_query_string" : {
"query": "POST",
"fields": ["*"]
}
}
}
Which setting should I increase to search on large number of documents with multi_match ?
Thank you
