Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch v2.14.0
Describe the issue:
It appears that whenever I use the “fields” command in PPL, my query results appear to get filtered. I’ve yet to spot the exact pattern as to how but perhaps it’s a dedup type of thing happening to them. Can anyone explain why simply piping my query through fields command would result in fewer results? I can’t see why from the field command documentation. Commands - OpenSearch Documentation
You can replicate what I’m describing on the opensearch playground. The following query returns 630 hits.
source = opensearch_dashboards_sample_data_logs | where match(request,‘filebeat’)
where as the following query returns < 200 results
source = opensearch_dashboards_sample_data_logs | where match(request,‘filebeat’) | fields request
Configuration:
(https://playground.opensearch.org/app/observability-logs#/explorer/TMAseY8BhwnwYpCg3bas)
Relevant Logs or Screenshots:
One screenshot(due to new poster restrictions)
Thanks!
Ian