Need Explanation on ElasticSearch Filters Aggregation

Question

I'm trying to understand the syntax of Filters Aggregations in ElasticSearch, and I'm stumped. The example given in the documentation is this:

    {
      "aggs" : {
        "messages" : {
          "filters" : {
            "filters" : {
              "errors" :   { "term" : { "body" : "error"   }},
              "warnings" : { "term" : { "body" : "warning" }}
            }
          },
          "aggs" : {
            "monthly" : {
              "histogram" : {
                "field" : "timestamp",
                "interval" : "1M"
              }
            }
          }
        }
      }
    }

I understand the following:

• "aggs" defines the aggregations blocks (it's a shortcut for "aggregations"). There's actually nested aggregations in the example, as can be seen.
• "messages" is the user-defined name of the aggregation block.
• "errors" and "warnings" are user-defined names of the filters used to create the "buckets" for the aggregation. They drop items with "body" equal to "error" and "warning" respectively ("term" matching).

What I don't understand is why "filters" appears twice, nested inside of itself. Per the general aggregations syntax:

    "aggregations" : {
        "<aggregation_name>" : {
            "<aggregation_type>" : {
                <aggregation_body>
            }
            [,"aggregations" : { [<sub_aggregation>]+ } ]?
        }
        [,"<aggregation_name_2>" : { ... } ]*
    }

• "aggs" is short for "aggregations"
• "messages" is my "<aggregation name"
• "filters" is the ""

What's the second "filters" element doing? And where is it documented that "filters" has to be self-nested; it doesn't seem to be the case for any of the other aggregations I'm learning.

Answer 1

I understand how you feel, been there, too :-)

In the filters aggregation, the first filters occurrence is the aggregation_type and the second is part of the aggregation_bodyof the filters aggregation and is the only valid key that this aggregation supports.

The second filters occurrence could have been called anything else (filter_list, list, etc) to denote that it contains the list of filters for that aggregation, but the ES folks picked filters which happen to also be the same name as the name of the aggregation itself.

So it goes like this:

{
  "aggs" : {                    <--- key word to declare aggregations
    "messages" : {              <--- custom name for the aggregation that follows
      "filters" : {             <--- aggregation_type
        "filters" : {           <--- first (and only) key of the aggregation_body
          "errors" :   { "term" : { "body" : "error"   }},
          "warnings" : { "term" : { "body" : "warning" }}
        }
      },
      "aggs" : {
        "monthly" : {
          "histogram" : {
            "field" : "timestamp",
            "interval" : "1M"
          }
        }
      }
    }
  }
}