Skip to content

Query can not filter #6211

New issue
New issue
Open
Open
Query can not filter#6211
Labels
bugSomething isn't working
@emresudo

Description

@emresudo
emresudo
opened on Mar 19, 2026

Describe the bug

Data exists, becase I already check with srcip:10.111.1.111 dstport:161 this filter. After I was curious, I just wanted the filter by eventtime.

srcip:10.111.1.111 dstport:161 eventtime:1773940811365322000

And the response is always empty.

My data is here,

{
  "eventtime": 1773940811365322000,
  "srcip": "10.111.1.111",
  "dstip": 161,
  "type": "traffic",
}

Also I check with these queries.

  • srcip:10.111.1.111 dstport:161 eventtime:1773940811365322000*
  • srcip:10.111.1.111 dstport:161 eventtime:*1773940811365322000*
  • srcip:10.111.1.111 dstport:161 eventtime:*1773940811365322000*
  • srcip:10.111.1.111 dstport:161 eventtime:*17739408113*
  • srcip:10.111.1.111 dstport:161 eventtime:"*1*"

Configuration:
Quickwit 0.8.2 (x86_64-unknown-linux-gnu 2024-09-03T11:26:51Z 0f28194)

Indexing Settings

{
  "commit_timeout_secs": 30,
  "docstore_compression_level": 10,
  "docstore_blocksize": 2000000,
  "split_num_docs_target": 50000000,
  "merge_policy": {
    "type": "stable_log",
    "min_level_num_docs": 500000,
    "merge_factor": 10,
    "max_merge_factor": 12,
    "maturation_period": "2days"
  },
  "resources": {
    "heap_size": "6.0 GB"
  }
}

Doc Mapping

{
  "field_mappings": [
    {
      "name": "_time",
      "type": "datetime",
      "fast": true,
      "fast_precision": "seconds",
      "indexed": true,
      "input_formats": [
        "unix_timestamp"
      ],
      "output_format": "rfc3339",
      "stored": true
    },
    {
      "name": "logsource",
      "type": "text",
      "fast": false,
      "fieldnorms": false,
      "indexed": true,
      "record": "basic",
      "stored": true,
      "tokenizer": "raw"
    },
    {
      "name": "_msg",
      "type": "text",
      "fast": false,
      "fieldnorms": false,
      "indexed": true,
      "record": "basic",
      "stored": true,
      "tokenizer": "default"
    }
  ],
  "tag_fields": [],
  "store_source": false,
  "index_field_presence": false,
  "timestamp_field": null,
  "mode": "dynamic",
  "dynamic_mapping": {
    "indexed": true,
    "tokenizer": "raw",
    "record": "basic",
    "stored": true,
    "expand_dots": true,
    "fast": {
      "normalizer": "raw"
    }
  },
  "max_num_partitions": 200,
  "tokenizers": []
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions