If I use different timeline intervals on a rollup search I get a different set of resulting keys where I expect the same resulting keys but just in different time buckets and counts. It seems the larger the interval the less data I get. My fixed_interval for the rollup is 60m.
For example if I do the following with 60m vs 1d vs 30d fixed_interval, I get 32, 24, and 16 different domain.keyword keys respectively.
Is there some configurable size limit I don't know about?
Here is my query:
GET test_fixed_counts/_rollup_search
{
"size": 0,
"query": {
"range" : {
"datetime" : {
"gte": "2021-12-31T16:00:00.000000Z",
"lte": "2022-02-30T15:59:59.000000Z",
"format": "yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'"
}
}
},
"aggregations": {
"timeline": {
"date_histogram": {
"field": "datetime",
"fixed_interval": "60"
},
"aggs" : {
"parent_server" : {
"terms": {
"field": "server_groups.id_3.keyword",
"include": "c1"
},
"aggs": {
"value_count" : {
"terms" : {
"field" : "domain.keyword"
}
}
}
}
}
}
}
}