用于字段相等性的Kibana过滤器返回两个具有不同字段值的文档

时间:2018-12-28 06:42:23

标签: elasticsearch elastic-stack

在使用Kibana Discover模式时,我们发现了一个令人关注的结果。

对于给定的索引,在特定的时间范围内,发现了以下情况:对字段“ time_stamp”(映射到long)进行过滤等于特定值(1545287341)时,它返回了两个文档:一个具有精确的价值和另一个接近。

这怎么可能?返回的唯一文档应具有指定值? elasticsearch做出错误响应的可能原因是什么?感谢帮助,因为这非常诱人。

我在这里捕获了Kibana发送的查询。

{
"version": true,
"size": 500,
"sort": [{
    "@timestamp": {
        "order": "desc",
        "unmapped_type": "boolean"
    }
}],
"_source": {
    "excludes": []
},
"aggs": {
    "2": {
        "date_histogram": {
            "field": "@timestamp",
            "interval": "3h",
            "time_zone": "Etc/UTC",
            "min_doc_count": 1
        }
    }
},
"stored_fields": ["*"],
"script_fields": {},
"docvalue_fields": ["@timestamp", "day"],
"query": {
    "bool": {
        "must": [{
            "match_all": {}
        }, {
            "match_phrase": {
                "dev_id.keyword": {
                    "query": "22170821152"
                }
            }
        }, {
            "match_phrase": {
                "time_stamp": {
                    "query": 1545287341
                }
            }
        }, {
            "range": {
                "@timestamp": {
                    "gte": 1544659200000,
                    "lte": 1545350399999,
                    "format": "epoch_millis"
                }
            }
        }],
        "filter": [],
        "should": [],
        "must_not": []
    }
},
"highlight": {
    "pre_tags": ["@kibana-highlighted-field@"],
    "post_tags": ["@/kibana-highlighted-field@"],
    "fields": {
        "*": {}
    },
    "fragment_size": 2147483647
}
}

(已编辑的)响应也显示了接近但不完全的响应:

 {
"responses": [{
    "took": 2,
    "timed_out": false,
    "_shards": {
        "total": 10,
        "successful": 10,
        "skipped": 0,
        "failed": 0
    },
    "hits": {
        "total": 2,
        "max_score": null,
        "hits": [{
            "_index": "pkt-2018-12",
            "_type": "doc",
            "_id": "CzvHahOE1jrv+tFWGorFH4gV6cs=",
            "_version": 1,
            "_score": null,
            "_source": {
                "time_stamp": 1.545287341E9,
                "@timestamp": "2018-12-20T06:29:01.000Z",
            },
            "fields": {
                "@timestamp": ["2018-12-20T06:29:01.000Z"]
            },
            "highlight": {
                "dev_id.keyword": ["@kibana-highlighted-field@22170821152@/kibana-highlighted-field@"]
            },
            "sort": [1545287341000]
        }, {
            "_index": "pkt-2018-12",
            "_type": "doc",
            "_id": "PbeMWFMNpvwrjnZpBJtexDwfE9k=",
            "_version": 1,
            "_score": null,
            "_source": {
                "time_stamp": 1.545287281E9,
                "@timestamp": "2018-12-20T06:28:01.000
            },
            "fields": {
                "@timestamp": ["2018-12-20T06:28:01.000Z"]
            },
            "highlight": {
                "dev_id.keyword": ["@kibana-highlighted-field@22170821152@/kibana-highlighted-field@"]
            },
            "sort": [1545287281000]
        }]
    },
    "aggregations": {
        "2": {
            "buckets": [{
                "key_as_string": "2018-12-20T06:00:00.000Z",
                "key": 1545285600000,
                "doc_count": 2
            }]
        }
    },
    "status": 200
}]

}

0 个答案:

没有答案