Hi all. I'm using Elasticsearch version 1.4.2 to get *significant terms* from the data gettered by *Logstash*. When I do the job using the request below, it works fine.
*# Request (works fine)* curl -XGET http://localhost:9200/logstash-2014.11.11,logstash-2014.11.12,logstash-2014.11.13,logstash-2014.11.14,logstash-2014.11.15,logstash-2014.11.16,logstash-2014.11.17,logstash-2014.11.18,logstash-2014.11.19,logstash-2014.11.20,logstash-2014.11.21,logstash-2014.11.22,logstash-2014.11.23,logstash-2014.11.24,logstash-2014.11.25,logstash-2014.11.26,logstash-2014.11.27,logstash-2014.11.28,logstash-2014.11.29,logstash-2014.11.30,logstash-2014.12.01,logstash-2014.12.02,logstash-2014.12.03,logstash-2014.12.04,logstash-2014.12.05,logstash-2014.12.06,logstash-2014.12.07,logstash-2014.12.08,logstash-2014.12.09,logstash-2014.12.10,logstash-2014.12.11/my_type/_search?pretty -d '{ "query": { "filtered": { "filter": { "and": [ { "term": { "myfield.raw":"Something" } } ] } } }, "aggregations": { "agg_by_remote_ip": { "significant_terms": { "field": "remote_ip" } } } }' *# Results (bg_count == 45203)* ... "aggregations" : { "agg_by_remote_ip" : { "doc_count" : 102, "buckets" : [ { "key" : "xx.65.xx.112", "doc_count" : 102, "score" : 10834.56312205343, "bg_count" : 45203 } ] } } However, if I add a *range filter which use @timestamp* like below, then *it reduce the bg_count* of the aggregation results. *# Added range filter * { "range":{ "@timestamp":{ "from":"2014-12-10T15:00:00.000+00:00", "to":"2014-12-10T18:00:00.000+00:00" } } } *# Results (bg_count == 1802)* ... "aggregations" : { "agg_by_remote_ip" : { "doc_count" : 102, "buckets" : [ { "key" : "xx.65.xx.112", "doc_count" : 102, "score" : 10834.56312205343, "bg_count" : 1802 } ] } } The reduced bg_count value is equal to the result when I use only "logstash-2014.12.10" index. So, It *seems* that a range filter which uses @timestamp field *ignores all indices that is not int the range*. Is there anyway to use @timestamp while the bg_count is not changed in the significant_terms aggregation? Thanks in advance. -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/0dd756a9-cd40-45e2-be7b-79db9237ef96%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
