/* excuse my english i'm french my split is nginx.access.response_code.keyword lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmmmmmm mmmmmmmmmmmmmmmm
*/
{
"aggs": {
"2": {
"significant_terms": {
"field": "nginx.access.response_code.keyword",
"size": 10
},
"aggs": {
"3": {
"date_histogram": {
"field": "@timestamp",
"fixed_interval": "12h",
"time_zone": "Europe/Paris",
"min_doc_count": 1
}
}
}
}
},
"size": 0,
"stored_fields": [
"*"
],
"script_fields": {},
"docvalue_fields": [
{
"field": "@timestamp",
"format": "date_time"
},
{
"field": "event.created",
"format": "date_time"
},
{
"field": "read_timestamp",
"format": "date_time"
}
],
"_source": {
"excludes": []
},
"query": {
"bool": {
"must": [],
"filter": [
{
"match_all": {}
},
{
"range": {
"@timestamp": {
"gte": "2020-11-07T14:57:01.503Z",
"lte": "2020-12-07T14:57:01.503Z",
"format": "strict_date_optional_time"
}
}
}
],
"should": [],
"must_not": [
{
"match_phrase": {
"nginx.access.response_code.keyword": {
"query": "200"
}
}
},
{
"match_phrase": {
"nginx.access.response_code.keyword": {
"query": "301"
}
}
},
{
"match_phrase": {
"nginx.access.response_code.keyword": {
"query": "304"
}
}
}
]
}
}
}
/* the result my buckets are empty */
{
"took": 302,
"timed_out": false,
"_shards": {
"total": 11,
"successful": 11,
"skipped": 10,
"failed": 0
},
"hits": {
"total": 6418480,
"max_score": null,
"hits": []
},
"aggregations": {
"2": {
"buckets": []
}
}
}
I found it. it did not exist in my data nginx.access.response_code.keyword. Be careful, Kibana does not show you your error.