I'm trying to work with cloudwatch log data in opensearch. While building some dashboards, I'm querying by "@log_stream". My log streams vary slightly, like "productName_filterlog" and "productName_messagelog". However, my query for one "@log_stream" yields results with many different log streams mixed in. I'm doing a term search with explain enabled in hopes of getting some reasoning for this:
Request
POST myindex/_search?explain=true
{
"query":{
"term": {
"@log_stream": "productName_filterlog"
}
}
}
Response
...
"hits": [
{
...,
"_explanation" : {
"value" : 1.0,
"description" : "*:*",
"details" : [ ]
}
}
]
My question : what does this _explanation object mean? Why is it so useless? Is there a better way to determine why some unwanted results are showing up? I'm assuming the reason is due to some analyzer shenanigans, but how would one determine this?
thanks!