Elastic Search Aggregation with bool query

Question

This is my elastic bool query. this works fine :

{
  "query": {
        "bool": {
            "filter": [
                {
                    "terms": {
                        "parent_uuid._raw": [
                            "87ec596a-109e-45ce-8a8d-7a2d1a56df81",
                            "07526608-8140-46be-96b9-c5f7cca4bd93"
                        ]
                    }
                },
                {
                    "terms": {
                        "resource_type._raw": [
                            "Zone"
                        ]
                    }
                }
            ]
        }
    },
    "from": 0
}

I want aggregation on name field. So I add this :

"aggs": {
    "group_by_name": {
        "terms": {
            "field": "display_name.keyword"
        }
    } }

But result is same. What I am missing?

The result I get is :

{ "device-resource": [ { "fq_name": [ "default-domain", "muthu1500", "EP", "JUNOS/Zone=oam" ], "uuid": "161cf82d-16fd-4219-861d-d50de622f8eb", "uri": "/ems-central/device-resource/161cf82d-16fd-4219-861d-d50de622f8eb" }, { "fq_name": [ "default-domain", "muthu1500", "EP", "JUNOS/Zone=untrust" ], "uuid": "fe28fb7c-c087-4473-aeef-e302022f47a4", "uri": "/ems-central/device-resource/fe28fb7c-c087-4473-aeef-e302022f47a4" }, { "fq_name": [ "default-domain", "muthu1500", "MNONZT", "JUNOS/Zone=trust" ], "uuid": "251a4a9e-acb4-49ed-9c29-499ddbceb532", "uri": "/ems-central/device-resource/251a4a9e-acb4-49ed-9c29-499ddbceb532" }, { "fq_name": [ "default-domain", "muthu1500", "MNONZT", "JUNOS/Zone=untrust" ], "uuid": "a3417512-8953-4c1e-b68e-8390327d5213", "uri": "/ems-central/device-resource/a3417512-8953-4c1e-b68e-8390327d5213" }, { "fq_name": [ "default-domain", "muthu1500", "SRX1500MD", "JUNOS/Zone=trust" ], "uuid": "1a5434c5-d47d-40be-bb00-ef1d244e6c0c", "uri": "/ems-central/device-resource/1a5434c5-d47d-40be-bb00-ef1d244e6c0c" } ], "total": 5 }

Since last two records have same display_name as 2nd and 3rd record respectively, aggregate should show only 1 of them. I want this result:

{ "device-resource": [ { "fq_name": [ "default-domain", "muthu1500", "EP", "JUNOS/Zone=oam" ], "uuid": "161cf82d-16fd-4219-861d-d50de622f8eb", "uri": "/ems-central/device-resource/161cf82d-16fd-4219-861d-d50de622f8eb" }, { "fq_name": [ "default-domain", "muthu1500", "EP", "JUNOS/Zone=untrust" ], "uuid": "fe28fb7c-c087-4473-aeef-e302022f47a4", "uri": "/ems-central/device-resource/fe28fb7c-c087-4473-aeef-e302022f47a4" }, { "fq_name": [ "default-domain", "muthu1500", "MNONZT", "JUNOS/Zone=trust" ], "uuid": "251a4a9e-acb4-49ed-9c29-499ddbceb532", "uri": "/ems-central/device-resource/251a4a9e-acb4-49ed-9c29-499ddbceb532" } ], "total": 3 }

Answer 1

According to your mapping, your terms aggregation needs to be like this (use the _raw sub-field):

"aggs": {
  "group_by_name": {
    "terms": {
        "field": "display_name._raw"
    }
} }