Hi, we are having ELK 5.4.3. The query for bar chart is
{
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "(type:error OR type:alert OR type:message-log OR type:prompt OR type:action-log
OR type:recording OR type:notice) AND NOT attrs.sub-type:transport",
"analyze_wildcard": true,
"fuzzy_max_expansions": 0,
"fuzziness": 0
}
},
{
"range": {
"@timestamp": {
"gte": 1547021748849,
"lte": 1547051734083,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
},
"size": 0,
"_source": {
"excludes": []
},
"aggs": {
"2": {
"date_histogram": {
"field": "@timestamp",
"interval": "10m",
"time_zone": "Europe/Berlin",
"min_doc_count": 1
},
"aggs": {
"3": {
"terms": {
"field": "type_translate",
"size": 20,
"order": {
"_count": "desc"
}
}
}
}
}
},
"version": true
}
But it shows nothing. See
BUT when I use specific filter for atrrs.hostname, it shows one event. How is it so?
Query is the same, no other changes (no time change or anything) just one more filter. Type is "notice" so first filter is always true.
{
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "(type:error OR type:alert OR type:message-log OR type:prompt OR type:action-log OR type:recording OR type:notice) AND NOT attrs.sub-type:transport",
"analyze_wildcard": true,
"fuzzy_max_expansions": 0,
"fuzziness": 0
}
},
{
"query_string": {
"query": "attrs.hostname:pokus",
"analyze_wildcard": true,
"fuzzy_max_expansions": 0,
"fuzziness": 0
}
},
{
"range": {
"@timestamp": {
"gte": 1547021748849,
"lte": 1547051734083,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
},
"size": 0,
"_source": {
"excludes": []
},
"aggs": {
"2": {
"date_histogram": {
"field": "@timestamp",
"interval": "10m",
"time_zone": "Europe/Berlin",
"min_doc_count": 1
},
"aggs": {
"3": {
"terms": {
"field": "type_translate",
"size": 20,
"order": {
"_count": "desc"
}
}
}
}
}
},
"version": true
}