Searchquery using timestamp in "and" condition issue

tomaszde · October 6, 2020, 9:39am

hi,
I'm getting more hits with more exclusive search using "and" with timestamp.
is it a bug or the query syntax is wrong ?

query1

    GET /myindex-*/_search?_source=true&track_total_hits=true
    {
      "query": {
        "query_string": {
          "query": "(@timestamp:>=now-1m)"
        }
      }
    }

result:

    {
      "took" : 7,
      "timed_out" : false,
      "_shards" : {
        "total" : 28,
        "successful" : 28,
        "skipped" : 0,
        "failed" : 0
      },
      "hits" : {
        "total" : {
          "value" : 88,
          "relation" : "eq"
        },

query2

    GET /myindex-*/_search?_source=true&track_total_hits=true
    {
      "query": {
        "query_string": {
          "query": "(kubernetes.namespace:ns1) and (@timestamp:>=now-1m)"
        }
      }
    }

result:

    {
      "took" : 90,
      "timed_out" : false,
      "_shards" : {
        "total" : 28,
        "successful" : 28,
        "skipped" : 0,
        "failed" : 0
      },
      "hits" : {
        "total" : {
          "value" : 2013173,
          "relation" : "eq"
        },

tomaszde · October 6, 2020, 9:49am

Issue is solved. It should be "AND" in query not the "and"

system · November 3, 2020, 9:49am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.