Total hits issue while drill down for a day search

Elastic Stack Elasticsearch
1

Hi,

I am using following query to search the data for a particular day 30/12/2011 (30th of Dec, 2011):

curl -XGET http://localhost:9200/_search?pretty=1 -d '{
"from" : 0,
"size" : 5,
"query" : {
"filtered" : {
"query" : {
"match_all" : {
}
},
"filter" : {
"range" : {
"date" : {
"from" : "2011/12/30 00:00:00",
"to" : "2011/12/30 23:59:59",
"include_lower" : true,
"include_upper" : false
}
}
}
}
},
"explain" : true,
"sort" : [ {
"date" : {
"order" : "desc"
}
} ]
}'

I am getting total hits as 100.

Now I am breaking the time interval "2011/12/30 00:00:00" to "2011/12/30 23:59:59" into hourly figures like following and perform search to drill down to finer details :

2011/12/30 00:00:00 to 2011/12/30 00:59:59
2011/12/30 01:00:00 to 2011/12/30 01:59:59
2011/12/30 02:00:00 to 2011/12/30 02:59:59
2011/12/30 03:00:00 to 2011/12/30 03:59:59
2011/12/30 04:00:00 to 2011/12/30 04:59:59
2011/12/30 05:00:00 to 2011/12/30 05:59:59
2011/12/30 06:00:00 to 2011/12/30 06:59:59
2011/12/30 07:00:00 to 2011/12/30 07:59:59
2011/12/30 08:00:00 to 2011/12/30 08:59:59
2011/12/30 09:00:00 to 2011/12/30 09:59:59
2011/12/30 10:00:00 to 2011/12/30 10:59:59
2011/12/30 11:00:00 to 2011/12/30 11:59:59
2011/12/30 12:00:00 to 2011/12/30 12:59:59
2011/12/30 13:00:00 to 2011/12/30 13:59:59
2011/12/30 14:00:00 to 2011/12/30 14:59:59
2011/12/30 15:00:00 to 2011/12/30 15:59:59
2011/12/30 16:00:00 to 2011/12/30 16:59:59
2011/12/30 17:00:00 to 2011/12/30 17:59:59
2011/12/30 18:00:00 to 2011/12/30 18:59:59
2011/12/30 19:00:00 to 2011/12/30 19:59:59
2011/12/30 20:00:00 to 2011/12/30 20:59:59
2011/12/30 21:00:00 to 2011/12/30 21:59:59
2011/12/30 22:00:00 to 2011/12/30 22:59:59
2011/12/30 23:00:00 to 2011/12/30 23:59:59

When I sum all the hourly totals , the sum is 98. It should have been 100 as the total hits for 30/12/2011 is 100. Could it be due to the fact that we are not specifying the millis in time and we are losing the hits for millis? The date format specified in mapping while creating the indices is "yyyy/MM/dd HH:mm:ss", it doesn't have millis.

Please suggest.

Thanks

2 
        "from" : "2011/12/30 00:00:00",
        "to" : "2011/12/30 23:59:59",
        "include_lower" : true,
        "include_upper" : false

When I sum all the hourly totals , the sum is 98. It should have been 100 as
the total hits for 30/12/2011 is 100. Could it be due to the fact that we
are not specifying the millis in time and we are losing the hits for millis?
The date format specified in mapping while creating the indices is
"yyyy/MM/dd HH:mm:ss", it doesn't have millis.

You're specifying include_upper:false, but the 'to' value in that case
should actually be '2011/12/31 00:00:00'.

clint

3

Thanks Clinton..