URI query not matching all fields

This query is returning documents that don't match all the listed fields (they don't even have these fields).

type.keyword:"rsyslog" AND severity.keyword:("alert" OR "err" OR "crit") AND @timestamp:[now-10m TO now]

Encoded:

/_search?q=type.keyword%3a%22rsyslog%22%20AND%20severity.keyword%3a(%22alert%22%20OR%20%22err%22%20OR%20%22crit%22)%20AND%20%40timestamp%3a%5bnow-10m%20TO%20now%5d

With explain=true:

"_explanation": {
  "value": 1,
  "description": "@timestamp:[1553857603072 TO 1553858203072]",
  "details": []
}

Could you share a typical document which should match?

The problem is that these documents shouldn't match. The ones that should match are correctly returned by this query.

Could you provide a full recreation script as described in About the Elasticsearch category. It will help to better understand what you are doing. Please, try to keep the example as simple as possible.

Index templates are the defaults from the respective products.
The search should return no hits, but returns the apm document.

POST /apm-test/_doc
{
  "@timestamp": 1553857900000
}
POST /logstash-test/_doc
{
  "@timestamp": 1553850000000,
  "type": "rsyslog",
  "severity": "err"
}
GET /_search?q=type.keyword%3a%22rsyslog%22%20AND%20severity.keyword%3a(%22alert%22%20OR%20%22err%22%20OR%20%22crit%22)%20AND%20%40timestamp%3a%5bnow-10m%20TO%20now%5d

I ran:

DELETE apm-test,logstash-test
POST /apm-test/_doc
{
  "@timestamp": 1553857900000
}
POST /logstash-test/_doc
{
  "@timestamp": 1553850000000,
  "type": "rsyslog",
  "severity": "err"
}
GET /_search?q=type.keyword%3a%22rsyslog%22%20AND%20severity.keyword%3a(%22alert%22%20OR%20%22err%22%20OR%20%22crit%22)%20AND%20%40timestamp%3a%5bnow-10m%20TO%20now%5d

I'm getting:

{
  "took" : 74,
  "timed_out" : false,
  "_shards" : {
    "total" : 11,
    "successful" : 11,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 0,
      "relation" : "eq"
    },
    "max_score" : null,
    "hits" : [ ]
  }
}

May be your reproduction script is not really accurate. Ie. there is no mapping so a default one is generated:

GET /apm-test/_mapping

gives:

{
  "apm-test" : {
    "mappings" : {
      "properties" : {
        "@timestamp" : {
          "type" : "long"
        }
      }
    }
  }
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.