Hey all!
Long-time user, first-time poster!
I've been trying to figure out a problem we're seeing with some unique search behavior on runtime fields when using CCS.
REF: Runtime fields in a search request
When done on a cluster & searched locally on that cluster, all works well.
When done on a search head and searched via CCS, all works well but ONLY for certain query types.
MATCH/REGEX queries on the runtime field work fine. It seems, however, that when using a TERM or WILDCARD query on the runtime field, it rewrites the query to a match_none (as evidenced in query slowlogs).
I'm guessing this is some sort of query rewrite to make the query more performant, perhaps checking the field capabilities of the field, finding there's no explicit mapping on the remote cluster, and marking that bool of the term as match_none: {}.
This worked fine in v7, however, we're noticing the new behavior after an upgrade to 8.13.x .
Am I missing something? is this "feature, not bug", or is something else going on here?
Thanks in advance!