ok, I misunderstood, I thought you are still feeding into it.
In this case, I guess you might have some sparse data for domain and os. I suggest to try your test again but with a transform that lacks the 2 terms group_by. If that yields equal counts, it means domain and os do not always have a value.
Per default missing values are ignored in group_by. If you use 7.10 you can add "missing_bucket": true to your terms group_by to get groupings for them (with key null).