Multi match bool query returning 0 hits on large number of documents

Hi,

I have 2 elk cluster in 7.10.

A -> 70 documents per hour
B -> 100 - 300 documents per second (825k on 1 hour)

When I am doing a KQL search in kibana (discover) with just typing "POST", on the cluster A, it's returning all documents in the last 15 min any field that contains the value "POST".

Kibana_KQL1145×89 5.95 KB

When I am doing the same search on the cluster B, 0 hits are returned.

Kibana is converting the KQL Query into an Elastic Query DSL.

With an inspect, I can see that it's converting like this :

"query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "multi_match": {
            "type": "best_fields",
            "query": "POST",
            "lenient": true
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2020-12-23T18:35:04.481Z",
              "lte": "2020-12-23T18:50:04.481Z",
              "format": "strict_date_optional_time"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }

I guess that it's not working because I have a large number of documents on the cluster B. I didn't find in the documentation why it's returning 0 hits.

Also, with a simple_query_string, it works on both cluster (A and B).

{
    "query": {
        "simple_query_string" : {
            "query": "POST",
            "fields": ["*"]
        }
    }
} 

Which setting should I increase to search on large number of documents with multi_match ?

Thank you

Small Up

Have you compared the mappings for the field(s) that contain POST between the two clusters? Is it possible that they are mapped differently?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.