在使用Kibana Discover模式时,我们发现了一个令人关注的结果。
对于给定的索引,在特定的时间范围内,发现了以下情况:对字段“ time_stamp”(映射到long)进行过滤等于特定值(1545287341)时,它返回了两个文档:一个具有精确的价值和另一个接近。
这怎么可能?返回的唯一文档应具有指定值? elasticsearch做出错误响应的可能原因是什么?感谢帮助,因为这非常诱人。
我在这里捕获了Kibana发送的查询。
{
"version": true,
"size": 500,
"sort": [{
"@timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}],
"_source": {
"excludes": []
},
"aggs": {
"2": {
"date_histogram": {
"field": "@timestamp",
"interval": "3h",
"time_zone": "Etc/UTC",
"min_doc_count": 1
}
}
},
"stored_fields": ["*"],
"script_fields": {},
"docvalue_fields": ["@timestamp", "day"],
"query": {
"bool": {
"must": [{
"match_all": {}
}, {
"match_phrase": {
"dev_id.keyword": {
"query": "22170821152"
}
}
}, {
"match_phrase": {
"time_stamp": {
"query": 1545287341
}
}
}, {
"range": {
"@timestamp": {
"gte": 1544659200000,
"lte": 1545350399999,
"format": "epoch_millis"
}
}
}],
"filter": [],
"should": [],
"must_not": []
}
},
"highlight": {
"pre_tags": ["@kibana-highlighted-field@"],
"post_tags": ["@/kibana-highlighted-field@"],
"fields": {
"*": {}
},
"fragment_size": 2147483647
}
}
(已编辑的)响应也显示了接近但不完全的响应:
{
"responses": [{
"took": 2,
"timed_out": false,
"_shards": {
"total": 10,
"successful": 10,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 2,
"max_score": null,
"hits": [{
"_index": "pkt-2018-12",
"_type": "doc",
"_id": "CzvHahOE1jrv+tFWGorFH4gV6cs=",
"_version": 1,
"_score": null,
"_source": {
"time_stamp": 1.545287341E9,
"@timestamp": "2018-12-20T06:29:01.000Z",
},
"fields": {
"@timestamp": ["2018-12-20T06:29:01.000Z"]
},
"highlight": {
"dev_id.keyword": ["@kibana-highlighted-field@22170821152@/kibana-highlighted-field@"]
},
"sort": [1545287341000]
}, {
"_index": "pkt-2018-12",
"_type": "doc",
"_id": "PbeMWFMNpvwrjnZpBJtexDwfE9k=",
"_version": 1,
"_score": null,
"_source": {
"time_stamp": 1.545287281E9,
"@timestamp": "2018-12-20T06:28:01.000
},
"fields": {
"@timestamp": ["2018-12-20T06:28:01.000Z"]
},
"highlight": {
"dev_id.keyword": ["@kibana-highlighted-field@22170821152@/kibana-highlighted-field@"]
},
"sort": [1545287281000]
}]
},
"aggregations": {
"2": {
"buckets": [{
"key_as_string": "2018-12-20T06:00:00.000Z",
"key": 1545285600000,
"doc_count": 2
}]
}
},
"status": 200
}]
}