Query returns empty result when filtering on labels and timestamp

Hello there,
I'm having some problems with querying in Kibana, so I tried to create manual query using the /_search API.

My index template is composed of .alerts-ecs-mappings, logs-mappings and logs-settings component templates.

Running a query like below returns an empty result.

{
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "range": {
            "@timestamp": {
              "format": "strict_date_optional_time",
              "gte": "2022-08-03T00:00:00.000Z",
              "lte": "2022-08-05T11:04:27.086Z"
            }
          }
        },
        {
          "match":{
            "labels.job_type": "repair"
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }
}

But removing either the range or match parts returns expected results. If I add some other filters on ECS fields, eg. log.level or event.action, then I get results, but as soon as I combine any labels.* and @timestamp, then result is empty.

I'm getting pretty desperate, because we use elastic and kibana to store logs and this means, that basically I cannot do any filters on our logs.

Any tips what could cause this behaviour?

Hi @ithline ,
Can you please share a document that should match your criteria?
Also kindly sure the mapping of the index/indices you are trying to query

After some more diagnostics, it looks like at some point the labels field stopped being indexed, because I can filter older documents by that field, but I cannot get any new ones.

Then I double checked settings on older indices and the newer ones and it turns out that dynamic_mapping was disabled at some point. Enabling it and rolling over data stream enables filtering on labels again.

So at the moment the behavior is as expected (including filtering by @timestamp)?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.