I have logstash indicies that go back thirty days. I have logs in those
indices from today.
If I do a search with:
"size": 500,
"sort": [
{
"@timestamp": {
"order": "desc",
"ignore_unmapped": true
}
}
]
I don't get any logs from today. If I limit the search results to just
today by adding a time filter, I see the results from today:
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"from": 1410815562837,
"to": 1410901962837
}
}
}
]
}
}
Shouldn't ES be sorting on the *entire* result set and then return me the
top 500? Instead, it appears to limit the results to 500 and then sort by
time. Is this expected behavior? Is there a workaround?
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to elasticsearch+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/8c5d33b9-1333-4324-891c-c382c8a41dde%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
