hi,
I'm getting more hits with more exclusive search using "and" with timestamp.
is it a bug or the query syntax is wrong ?
query1
GET /myindex-*/_search?_source=true&track_total_hits=true
{
"query": {
"query_string": {
"query": "(@timestamp:>=now-1m)"
}
}
}
result:
{
"took" : 7,
"timed_out" : false,
"_shards" : {
"total" : 28,
"successful" : 28,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 88,
"relation" : "eq"
},
query2
GET /myindex-*/_search?_source=true&track_total_hits=true
{
"query": {
"query_string": {
"query": "(kubernetes.namespace:ns1) and (@timestamp:>=now-1m)"
}
}
}
result:
{
"took" : 90,
"timed_out" : false,
"_shards" : {
"total" : 28,
"successful" : 28,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 2013173,
"relation" : "eq"
},