The derivequeries panel always broadcasts all events

[dav3860]

The derivequeries panel always broadcasts all events in addition to the facet results, whatever mode is selected. For example, with a table filter, if we enter this query : "host:server1" and select the "action" field with an AND mode, the table inspector shows this in the query :

 "query": {
    "filtered": {
      "query": {
        "bool": {
          "should": [
            {
              "query_string": {
                "query": "*"
              }
            },
            {
              "query_string": {
                "query": "action:\"start\" AND (host:server1)"
              }
            },
            {
              "query_string": {
                "query": "action:\"stop\" AND (host:server1)"
              }
            },
[...]

So the table panel shows everything, even though we enter a "host:server1" query.
The table query should be :

 "query": {
    "filtered": {
      "query": {
        "bool": {
          "should": [
            {
              "query_string": {
                "query": "host:server1"
              }
            },
            {
              "query_string": {
                "query": "action:\"start\" AND (host:server1)"
              }
            },
            {
              "query_string": {
                "query": "action:\"stop\" AND (host:server1)"
              }
            },
[...]

It also doesn't work if the host:server1 is added in a filter panel.

[rashidkpc]

Can you attach your dashboard schema? This isn't how it works from a code perspective, it looks like you might still have a * query. Remember, derivequeries adds new queries, it doesn't get rid of any you already have.

curl -XGET 'http://localhost:9200/logstash-2013.10.09,logstash-2013.10.08/_search?pretty' -d '{
  "query": {
    "filtered": {
      "query": {
        "bool": {
          "should": [
            {
              "query_string": {
                "query": "_type:\"apache\""
              }
            },
            {
              "query_string": {
                "query": "_type:\"nginx\""
              }
            }
          ]
        }
      },
      "filter": {
        "bool": {
          "must": [
            {
              "match_all": {}
            },
            {
              "range": {
                "@timestamp": {
                  "from": 1381236142798,
                  "to": "now"
                }
              }
            },
            {
              "bool": {
                "must": [
                  {
                    "match_all": {}
                  }
                ]
              }
            }
          ]
        }
      }
    }
  },
  "highlight": {
    "fields": {},
    "fragment_size": 2147483647,
    "pre_tags": [
      "@start-highlight@"
    ],
    "post_tags": [
      "@end-highlight@"
    ]
  },
  "size": 500,
  "sort": [
    {
      "@timestamp": {
        "order": "desc"
      }
    }
  ]
}'

[dav3860]

Here is an sample dashboard schema for Windows Events :
https://gist.github.com/6903830.git

I see this in the JSON schema :

      "list": {
        "0": {
          "query": "",
          "alias": "",
          "color": "#7EB26D",
          "id": 0,
          "pin": false,
          "type": "lucene"
        },
        "1": {
          "alias": 4634,
          "query": "EventID:\"4634\" AND (NOT host:server1)",
          "id": 1,
          "color": "#EAB839",
          "pin": false,
          "type": "lucene"
        },
[...]

Is this 0 query due to events with no EventID field ? Does this broadcast a "*" query to all panels ?

[rashidkpc]

There is no broadcasting anymore, your 0 query is effectively a match all, goto the query panel and remove it. Its there because every dashboard must have a query on load, and if there isn't one, a match all is created.