Home > other >  Elasticsearch aggregation query missing data
Elasticsearch aggregation query missing data

Time:02-16

I have 2 indexes and running same query but getting different results. Second index thinks data is missing. Why? Query:

 {
  "size": 0,
  "query": {
    "bool": {
      "must": [
        {
          "term": {
            "g_cst": {
              "value": "73198483380633600",
              "boost": 1
            }
          }
        }
      ]
    }
  },
  "aggs": {
    "aggr_per_connection_type": {
      "terms": {
        "field": "tunnel_type",
        "order": [
          {
            "_count": "desc"
          },
          {
            "_key": "asc"
          }
        ]
      },
      "aggs": {
        "aggr_per_broker": {
          "terms": {
            "field": "g_brk",
            "show_term_doc_count_error": false,
            "order": [
              {
                "_count": "desc"
              },
              {
                "_key": "asc"
              }
            ]
          },
          "aggs": {
            "date_histogram": {
              "date_histogram": {
                "field": "time",
                "fixed_interval": "3600m",
                "offset": 0,
                "order": {
                  "_key": "asc"
                },
                "keyed": false,
                "min_doc_count": 0
              },
              "aggs": {
                "app_rtt_us": {
                  "max": {
                    "field": "app_rtt_us",
                    "missing": -1
                  }
                },
                "tcp_rtt_us": {
                  "max": {
                    "field": "tcp_rtt_us",
                    "missing": 0
                  }
                }
              }
            }
          }
        }
      }
    }
  }
}

Getting weird result from second index, it misses data in avg bucket, however doc_count > 0.

{
  "took": 53,
  "timed_out": false,
  "_shards": { "total": 56, "successful": 56, "skipped": 0, "failed": 0 },
  "hits": {
    "total": { "value": 10000, "relation": "gte" },
    "max_score": null,
    "hits": []
  },
  "aggregations": {
    "aggr_per_connection_type": {
      "doc_count_error_upper_bound": 0,
      "sum_other_doc_count": 0,
      "buckets": [
        {
          "key": "TUNNEL_LOG",
          "doc_count": 16327,
          "aggr_per_broker": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
              {
                "key": "72057594037937044",
                "doc_count": 11902,
                "date_histogram": {
                  "buckets": [
                    {
                      "key_as_string": "20211211T12:00:00.000Z",
                      "key": 1639224000000,
                      "doc_count": 363,
                      "app_rtt_us": {
                        "value": 1
                      },
                      "tcp_rtt_us": {
                        "value": 0
                      }
                    },
                    {
                      "key_as_string": "20211214T00:00:00.000Z",
                      "key": 1639440000000,
                      "doc_count": 1398,
                      "app_rtt_us": {
                        "value": 1
                      },
                      "tcp_rtt_us": {
                        "value": 0
                      }
                    }
                  ]
                }
              }
            ]
          }
        }
      ]
    }
  }
}

Not sure even where to look at.

CodePudding user response:

Values mappings must be created before data ingestion, so they will be indexed!

  • Related