Hi!
I am using bucket aggregation- terms. Something is going wrong and I cannot seem to solve it. Spent a lot of time already.
The total keys I have in my bucket and their doc_count sum is not coming to be equal total hits.
Below is my request:
{
"aggs": {
"2": {
"terms": {
"field": "client.keyword",
"order": {
"_count": "desc"
},
"size": 1000
}
}
},
"size": 0,
"_source": {
"excludes": []
},
"stored_fields": [
"*"
],
"script_fields": {},
"docvalue_fields": [
{
"field": "@timestamp",
"format": "date_time"
},
{
"field": "timestamp",
"format": "date_time"
}
],
"query": {
"bool": {
"must": [
{
"match_all": {}
}
],
"filter": [
{
"match_phrase": {
"login_status.keyword": {
"query": "REJECT"
}
}
},
{
"range": {
"@timestamp": {
"format": "strict_date_optional_time",
"gte": "2021-02-19T13:16:29.323Z",
"lte": "2021-02-19T13:26:29.323Z"
}
}
}
],
"should": [],
"must_not": []
}
}
}
and this is the response I am receiving:
{
"took": 685,
"timed_out": false,
"_shards": {
"total": 8,
"successful": 8,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 41,
"max_score": null,
"hits": []
},
"aggregations": {
"2": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "a:v:c:20:e3:a8",
"doc_count": 5
},
{
"key": "x:y:89:c7:07:9a",
"doc_count": 1
}
]
}
}
}
What am I doing wrong here?