Hello,
I encountered a strange situation , i will describe it below.
Tested with both ELK version 8.6.2 /ROR 1.51 & ELK version 7.17.2/ROR 1.43.0.
ROR configuration used:
- name: "fftest Kibana"
groups: ["fftest"]
indices: ["test01"]
fields: ["~user1"]
kibana_access: "rw"
kibana_index: ".kibana_fftest"
- name: "fftest Kibana 1"
groups: ["fftest"]
indices: [".kibana_fftest" ,"test01"]
kibana_access: "rw"
kibana_index: ".kibana_fftest"
I am creating an index called test01 and i want to exclude from searches the “user1” field.
At first i created this index with only a few documents(<10).
I get the expected response, without the user1 field in any search i do.
If i insert more than 10 documents (or 29 docs for elk 8.6.2), the user1 field starts appearing in the search results, but only for a match all query. I will add below used queries and responses:
GET _search?size=100
{
"query": {
"match_all": {}
}
}
response:
{
"took": 1,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 29,
"relation": "eq"
},
"max_score": 1,
"hits": [
{
"_index": "test01",
"_id": "UHfSiYoB2fo4isNUxF1X",
"_score": 1,
"_source": {
"user1": "a",
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "HwnSiYoBJCN9dDN95zXQ",
"_score": 1,
"_source": {
"user1": "a",
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "TXfSiYoB2fo4isNUFF3v",
"_score": 1,
"_source": {
"user1": "a",
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "T3fSiYoB2fo4isNUt12h",
"_score": 1,
"_source": {
"user1": "a",
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "UXfSiYoB2fo4isNU1l1S",
"_score": 1,
"_source": {
"user1": "a",
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "IAnSiYoBJCN9dDN99TU9",
"_score": 1,
"_source": {
"user1": "a",
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "0q7SiYoBkxx3SbNmqPX4",
"_score": 1,
"_source": {
"user1": "a",
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "IQnTiYoBJCN9dDN9BTXY",
"_score": 1,
"_source": {
"user1": "a",
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "067TiYoBkxx3SbNmFPWA",
"_score": 1,
"_source": {
"user1": "a",
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "HgnSiYoBJCN9dDN9kzWm",
"_score": 1,
"_source": {
"user1": "a",
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "3K7UiYoBkxx3SbNmIfUD",
"_score": 1,
"_source": {
"user1": "a",
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "3a7UiYoBkxx3SbNmMPWp",
"_score": 1,
"_source": {
"user1": "a",
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "VHfUiYoB2fo4isNUXl1T",
"_score": 1,
"_source": {
"user1": "a",
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "2K7TiYoBkxx3SbNm0PVH",
"_score": 1,
"_source": {
"user1": "a",
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "2a7TiYoBkxx3SbNm4PVb",
"_score": 1,
"_source": {
"user1": "a",
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "2q7TiYoBkxx3SbNm7_VP",
"_score": 1,
"_source": {
"user1": "a",
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "U3fUiYoB2fo4isNUEl1F",
"_score": 1,
"_source": {
"user1": "a",
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "267UiYoBkxx3SbNmA_W1",
"_score": 1,
"_source": {
"user1": "a",
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "JgnUiYoBJCN9dDN9RDUm",
"_score": 1,
"_source": {
"user1": "a",
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "TnfSiYoB2fo4isNUgl03",
"_score": 1,
"_source": {
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "IwnTiYoBJCN9dDN9VjWV",
"_score": 1,
"_source": {
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "167TiYoBkxx3SbNmnvWo",
"_score": 1,
"_source": {
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "UnfTiYoB2fo4isNUJF1_",
"_score": 1,
"_source": {
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "1K7TiYoBkxx3SbNmNPW5",
"_score": 1,
"_source": {
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "IgnTiYoBJCN9dDN9SDUM",
"_score": 1,
"_source": {
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "JAnTiYoBJCN9dDN9jjVu",
"_score": 1,
"_source": {
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "JQnTiYoBJCN9dDN9wDVU",
"_score": 1,
"_source": {
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "1a7TiYoBkxx3SbNmafWC",
"_score": 1,
"_source": {
"user2": "b",
"user3": "c"
}
},
{
"_index": "test01",
"_id": "1q7TiYoBkxx3SbNmfPWP",
"_score": 1,
"_source": {
"user2": "b",
"user3": "c"
}
}
]
}
}
GET test01/_search
{
"query": {
"match": {
"user1": "a"
}
}
}
response:
{
"took": 2,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 0,
"relation": "eq"
},
"max_score": null,
"hits": []
}
}
GET test01/_search
{
"query": {
"exists": {
"field": "user1"
}
}
}
response:
{
"took": 0,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 0,
"relation": "eq"
},
"max_score": null,
"hits": []
}
}
As you can see in the match all query response, only 10 documents are filtered, and the others show all the fields, not taking the rule into account anymore.