Not able to aggregate with multiple terms

asikarwar · February 12, 2020, 12:42pm

Hello,

I am stuck at aggregate query.
I have a message, matched_id and host.name field, query works if i do not include message.keyword in aggregation. I cannot seem to group over messages? Please help.

GET /pattern_match-*/_search
{
  "size": 0,
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "matched_id": {
              "query": "911"
            }
          }
        },
        {
          "range": {
            "@timestamp": {
              "from": "now-1d",
              "to": "now"
            }
          }
        }
      ]
    }
  },
  "aggregations": {
    "critical_host": {
      "terms": {
        "field": "host.name.keyword"
      },
      "aggregations": {
        "message_info": {
          "terms": {
            "field": "message.keyword"
          },
          "aggregations": {
            "count_of_matched_id": {
              "value_count": {
                "field": "matched_id.keyword"
              }
            }
          }
        }
      }
    }
  }
}

Console:

Index:

Discover:

Thanks

asikarwar · February 12, 2020, 3:28pm

“message” field contains more than 500 characters, could this be the reason for aggregation to not work?

asikarwar · February 13, 2020, 3:07pm

Resolved.
It was indeed because it was overlooking keywords above 256 characters.
“ignore_above” : 256
YOu can find it with this: GET /your_indexname/_mapping

Topic		Replies	Views
Term aggregation not working with a certain field General Feedback	1	1218	August 21, 2020
Term counts aggregation for complete index field OpenSearch discuss	0	490	January 5, 2023
OpenSearch Bucket Aggregation - Get full message text OpenSearch	3	631	July 13, 2023
Issue with message field data OpenSearch	2	1696	March 30, 2023
Term query with join doesn't work, but works individually OpenSearch	0	243	November 2, 2022

Not able to aggregate with multiple terms

Related Topics