Most templates (e.g. Logstash) configure message to be only a text field without a keyword subfield, so maybe that’s why you don’t see anything - message.keyword may not exist.
You could enable it in the template and reindex, but:
- the aggregation can be expensive, because you’d aggregate on a field with a VERY high cardinality
- indexing will slow down and you’ll store more data
Alternatively, you can try the Top Hits aggregation to be your inner aggregation: Top hits aggregation | Elasticsearch Guide [7.10] | Elastic
I assume you don’t need a specific order for this text, so you can skip specifying a sort value and you can say just how many message you want per host.
Another option (as the docs above point out) is to use collapse: Collapse search results | Elasticsearch Guide [7.10] | Elastic
You’d collapse on host name and show whichever fields you want from documents. More limited than top_hits (which can be nested under N levels of aggregations) but potentially faster.