Aggregations returns wrong results

[ofer-velich]

Elasticsearch version: 1.7.3

OS version: Ubuntu 14.04

Description of the problem including expected versus actual behavior:

Aggregations returns wrong results on one of my indices - running avg or max or min on a small set of double field called "time", it looks like it's ignoring the floating point

the index has the following mapping:

Please note that we have two "time" fields on the same index, One under the "root" object witch is mapped as double, And one under the "event.properties" witch is mapped as long.

{
    indexname: {
        mappings: {
            web-api: {
                properties: {
                    ....
                    event: {
                        properties: {
                            time: {
                                type: "long"
                            },
                            ....
                        }
                    },
                    .....
                    time: {
                        type: "double"
                    },
                    .....
                }
            }
        }
    }
}

when i run the following query and aggs i get wrong results:

curl -XGET elasticsearch:9200/indexname/web-api/_search -d '
{
  "query": {
    "filtered": {
      "query": {
        "query_string": {
          "query": "_exists_: time"
        }
      },
      "filter": {
        "range": {
          "@timestamp": {
            "gte":  1456733280000,
            "lte":  1456733306000
          }
        }
      }
    }
  }
  , "size": 2
  , "aggs": {
    "min-agg": {
      "min": {
        "field": "time"
      }
    },
    "max-agg": {
      "max": {
        "field": "time"
      }
    },
    "avg-agg": {
      "avg": {
        "field": "time"
      }
    }
  }
}
' 

Results:

{
   "took": 2,
   "timed_out": false,
   "_shards": {
      "total": 8,
      "successful": 8,
      "failed": 0
   },
   "hits": {
      "total": 2,
      "max_score": 1,
      "hits": [
         {
            "_index": "indexname",
            "_type": "web-api",
            "_id": "AVMsEjtIrdN06BhGvXc-",
            "_score": 1,
            "_source": {
               ....
               "@timestamp": "2016-02-29T08:08:13.929+00:00",
               ....
               "time": 1741.3100000023842
            }
         },
         {
            "_index": "indexname",
            "_type": "web-api",
            "_id": "AVMsEjvO9e5_IXiSdhbm",
            "_score": 1,
            "_source": {
               ....
               "@timestamp": "2016-02-29T08:08:14.388+00:00",
               ....
               "time": 2377.314999997616
            }
         }
      ]
   },
   "aggregations": {
      "max-agg": {
         "value": 4657446186044490000
      },
      "min-agg": {
         "value": 4655373177816613000
      },
      "avg-agg": {
         "value": 4656409681930551000
      }
   }
}

Any idea, why we are getting those results ??

Thanks

[clintongormley]

Hi @ofer-velich

The time field is being resolved to different fields at query time: one to event.time and one to time. This ambiguity has been cleared up in 2.x (see #8870) but cannot be resolved in 1.x.

You can try prepending the type name to to disambiguate: web-api.time vs web-api.event.time

(Prepending the type name is no longer supported in 2.x because it creates other ambiguities, but should work for your case).

i highly recommend upgrading.

[ofer-velich]

Thanks!
We are currently upgrading our clusters to 2.X.