I have 2 indexes and running same query but getting different results. Second index thinks data is missing. Why? Query:
{
"size": 0,
"query": {
"bool": {
"must": [
{
"term": {
"g_cst": {
"value": "73198483380633600",
"boost": 1
}
}
}
]
}
},
"aggs": {
"aggr_per_connection_type": {
"terms": {
"field": "tunnel_type",
"order": [
{
"_count": "desc"
},
{
"_key": "asc"
}
]
},
"aggs": {
"aggr_per_broker": {
"terms": {
"field": "g_brk",
"show_term_doc_count_error": false,
"order": [
{
"_count": "desc"
},
{
"_key": "asc"
}
]
},
"aggs": {
"date_histogram": {
"date_histogram": {
"field": "time",
"fixed_interval": "3600m",
"offset": 0,
"order": {
"_key": "asc"
},
"keyed": false,
"min_doc_count": 0
},
"aggs": {
"app_rtt_us": {
"max": {
"field": "app_rtt_us",
"missing": -1
}
},
"tcp_rtt_us": {
"max": {
"field": "tcp_rtt_us",
"missing": 0
}
}
}
}
}
}
}
}
}
}
Getting weird result from second index, it misses data in avg bucket, however doc_count > 0.
{
"took": 53,
"timed_out": false,
"_shards": { "total": 56, "successful": 56, "skipped": 0, "failed": 0 },
"hits": {
"total": { "value": 10000, "relation": "gte" },
"max_score": null,
"hits": []
},
"aggregations": {
"aggr_per_connection_type": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "TUNNEL_LOG",
"doc_count": 16327,
"aggr_per_broker": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "72057594037937044",
"doc_count": 11902,
"date_histogram": {
"buckets": [
{
"key_as_string": "20211211T12:00:00.000Z",
"key": 1639224000000,
"doc_count": 363,
"app_rtt_us": {
"value": 1
},
"tcp_rtt_us": {
"value": 0
}
},
{
"key_as_string": "20211214T00:00:00.000Z",
"key": 1639440000000,
"doc_count": 1398,
"app_rtt_us": {
"value": 1
},
"tcp_rtt_us": {
"value": 0
}
}
]
}
}
]
}
}
]
}
}
}
Not sure even where to look at.
CodePudding user response:
Values mappings must be created before data ingestion, so they will be indexed!