Skip to content

Time range causing empty result #127262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Heenawter opened this issue Apr 23, 2025 · 4 comments · Fixed by #127267
Closed

Time range causing empty result #127262

Heenawter opened this issue Apr 23, 2025 · 4 comments · Fixed by #127267
Labels
:Analytics/Aggregations Aggregations blocker >bug :Search/Search Search-related issues that do not fall into other categories Team:Analytics Meta label for analytical engine team (ESQL/Aggs/Geo) Team:Search Meta label for search team

Comments

@Heenawter
Copy link

Elasticsearch Version

9.1.0-SNAPSHOT

Installed Plugins

No response

Java Version

bundled

OS Version

Darwin Kernel Version 24.3.0

Problem Description

In my investigation of elastic/kibana#218953, I found that the ES server is giving different results in the 9.1.0-SNAPSHOT version compared to previous versions. See the "Steps to reproduce" section for a more thorough description.

Steps to Reproduce

  1. Enter export ES_SNAPSHOT_MANIFEST="https://storage.googleapis.com/kibana-ci-es-snapshots-daily/9.1.0/archives/20250418-021642_492b0363/manifest.json" into your command window

  2. Enter yarn es snapshot into the same command window

  3. Enter yarn start into another command window

  4. Install Web Logs sample data

  5. Navigate to the dev console

  6. Enter the following query:

    GET kibana_sample_data_logs/_search
{
  "size": 0,
  "timeout": "1000ms",
  "terminate_after": 100000,
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "filter": [
              {
                "range": {
                  "timestamp": {
                    "format": "strict_date_optional_time",
                    "gte": "2025-04-16T14:45:41.953Z",
                    "lte": "2025-04-23T14:45:41.953Z"
                  }
                }
              }
            ]
          }
        }
      ]
    }
  },
  "aggs": {
    "filteredSuggestions": {
      "filter": {
        "prefix": {
          "machine.os.keyword": {
            "value": "w",
            "case_insensitive": true
          }
        }
      },
      "aggs": {
        "suggestions": {
          "terms": {
            "size": 10,
            "field": "machine.os.keyword",
            "shard_size": 10,
            "order": {
              "_count": "desc"
            }
          }
        }
      }
    }
  }
}

In the 9.1.0-SNAPSHOT version, it returns an empty result:

{
  "took": 1,
  "timed_out": false,
  "terminated_early": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 1608,
      "relation": "eq"
    },
    "max_score": null,
    "hits": []
  },
  "aggregations": {
    "filteredSuggestions": {
      "doc_count": 0,
      "suggestions": {
        "doc_count_error_upper_bound": 0,
        "sum_other_doc_count": 0,
        "buckets": []
      }
    }
  }
}

But when testing in 8.18 Kibana, it returns the expected filtered values:


  "took": 4,
  "timed_out": false,
  "terminated_early": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 1608,
      "relation": "eq"
    },
    "max_score": null,
    "hits": []
  },
  "aggregations": {
    "filteredSuggestions": {
      "doc_count": 956,
      "suggestions": {
        "doc_count_error_upper_bound": 0,
        "sum_other_doc_count": 0,
        "buckets": [
          {
            "key": "win xp",
            "doc_count": 348
          },
          {
            "key": "win 7",
            "doc_count": 309
          },
          {
            "key": "win 8",
            "doc_count": 299
          }
        ]
      }
    }
  }
}

However, when I remove the time range filter from the 9.1.0-SNAPSHOT query, I no longer get empty buckets:

  • Query:

    GET kibana_sample_data_logs/_search
{
  "size": 0,
  "timeout": "1000ms",
  "terminate_after": 100000,
  "query": {
    "bool": {
      "filter": []
    }
  },
  "aggs": {
    "filteredSuggestions": {
      "filter": {
        "prefix": {
          "machine.os.keyword": {
            "value": "w",
            "case_insensitive": true
          }
        }
      },
      "aggs": {
        "suggestions": {
          "terms": {
            "size": 10,
            "field": "machine.os.keyword",
            "shard_size": 10,
            "order": {
              "_count": "desc"
            }
          }
        }
      }
    }
  }
}

  • Result:

    {
  "took": 2,
  "timed_out": false,
  "terminated_early": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 10000,
      "relation": "gte"
    },
    "max_score": null,
    "hits": []
  },
  "aggregations": {
    "filteredSuggestions": {
      "doc_count": 8512,
      "suggestions": {
        "doc_count_error_upper_bound": 0,
        "sum_other_doc_count": 0,
        "buckets": [
          {
            "key": "win xp",
            "doc_count": 2885
          },
          {
            "key": "win 7",
            "doc_count": 2814
          },
          {
            "key": "win 8",
            "doc_count": 2813
          }
        ]
      }
    }
  }
}

Logs (if relevant)

No response
@Heenawter Heenawter added >bug needs:triage Requires assignment of a team area label labels Apr 23, 2025
@rdnm rdnm added the blocker label Apr 23, 2025
@Heenawter Heenawter mentioned this issue Apr 23, 2025
Closed
@benwtrent
Copy link
Member

Behavior is troubling, I am not sure whats up here.

But, adding the filter to the query returns valid buckets

GET kibana_sample_data_logs/_search
{
  "size": 0,
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "filter": [
              {
                "range": {
                  "timestamp": {
                    "format": "strict_date_optional_time",
                    "gte": "2025-04-16T14:45:41.953Z",
                    "lte": "2025-04-23T14:45:41.953Z"
                  }
                }
              },
              {
                "prefix": {
                  "machine.os.keyword": {
                    "value": "w",
                    "case_insensitive": true
                  }
                }
              }
            ]
          }
        }
      ]
    }
  },
  "aggs": {
    "filteredSuggestions": {
      "filter": {
        "prefix": {
          "machine.os.keyword": {
            "value": "w",
            "case_insensitive": true
          }
        }
      },
      "aggs": {
        "suggestions": {
          "terms": {
            "size": 10,
            "field": "machine.os.keyword",
            "shard_size": 10,
            "order": {
              "_count": "desc"
            }
          }
        }
      }
    }
  }
}

Or a simple exists query (which likely gets rewritten to a match_all):

GET kibana_sample_data_logs/_search
{
  "size": 0,
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "filter": [
              {
                "exists": {
                    "field": "timestamp"
                }
              }
            ]
          }
        }
      ]
    }
  },
  "aggs": {
    "filteredSuggestions": {
      "filter": {
        "prefix": {
          "machine.os.keyword": {
            "value": "w",
            "case_insensitive": true
          }
        }
      },
      "aggs": {
        "suggestions": {
          "terms": {
            "size": 10,
            "field": "machine.os.keyword",
            "shard_size": 10,
            "order": {
              "_count": "desc"
            }
          }
        }
      }
    }
  }
}

But, indeed, the following returns nothing:

GET kibana_sample_data_logs/_search
{
  "size": 0,
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "filter": [
              {
                "range": {
                  "timestamp": {
                    "format": "strict_date_optional_time",
                    "gte": "2025-04-16T14:45:41.953Z",
                    "lte": "2025-04-24T14:45:41.953Z"
                  }
                }
              }
            ]
          }
        }
      ]
    }
  },
  "aggs": {
    "filteredSuggestions": {
      "filter": {
        "prefix": {
          "machine.os.keyword": {
            "value": "w",
            "case_insensitive": true
          }
        }
      }
    }
  }
}

@benwtrent
Copy link
Member

Likely related: #126955

@benwtrent benwtrent added :Analytics/Aggregations Aggregations :Search/Search Search-related issues that do not fall into other categories labels Apr 23, 2025
@elasticsearchmachine elasticsearchmachine added Team:Search Meta label for search team Team:Analytics Meta label for analytical engine team (ESQL/Aggs/Geo) and removed needs:triage Requires assignment of a team area label labels Apr 23, 2025
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-analytical-engine (Team:Analytics)

@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-search (Team:Search)

@benwtrent benwtrent mentioned this issue Apr 23, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
:Analytics/Aggregations Aggregations blocker >bug :Search/Search Search-related issues that do not fall into other categories Team:Analytics Meta label for analytical engine team (ESQL/Aggs/Geo) Team:Search Meta label for search team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bypass competitive iteration in single filter bucket case benwtrent/elasticsearch
4 participants
@benwtrent @Heenawter @elasticsearchmachine @rdnm