Reputation: 15
Elasticsearch terms aggregation returns no buckets
New elasticsearch user here and having an issue with a terms aggregation. I have indexed 187 documents with fields like "name","host","risk" etc. The field risk has 4 unique values ("Critical","High","Medium","Low","Informational") I am running a terms aggregations like this:
POST http://localhost:9200/{index_name}/_search?size=0
{
"aggs":{
"riskCount":{
"terms":{
"field":"risk.keyword"
}
}
}
}
I was expecting a result stating that i have x of Critical, x of High etc. Thing is, i get no buckets returned.
{
"took": 2,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 187,
"relation": "eq"
},
"max_score": null,
"hits": []
},
"aggregations": {
"riskCount": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": []
}
}
}
My Elasticsearch version is 7.12.0 Any ideas
Edit: So, here's the mapping:
"findings": { "mappings": { "properties": { "date_uploaded": { "type": "date" }, "host": { "type": "text" }, "name": { "type": "text" }, "risk": { "type": "text" } } } }
And here's the document:
{
"took": 1,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 187,
"relation": "eq"
},
"max_score": 1.0,
"hits": [
{
"_index": "findings",
"_type": "_doc",
"_id": "f86b6b5b-f09e-4350-9a66-d88a3a78f640",
"_score": 1.0,
"_source": {
"risk": "Informational",
"name": "HTTP Server Type and Version",
"host": "10.10.9.10",
"date_uploaded": "2021-05-07T19:39:10.810663+00:00"
}
}
]
}
}
Upvotes: 1
Views: 1722
Answers (2)
Reputation: 16192
Since the risk field is of text type, you need to update your index mapping as
PUT /_mapping
{
"properties": {
"risk": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
}
Then run the update_by_query API to reindex the data
Upvotes: 1
Reputation: 217544
You don't have any risk.keyword field in your mapping. You need to change your mapping as follows. Just run the following command to update your mapping and create the risk.keyword sub-field:
PUT index-name/_mapping
{
"properties": {
"date_uploaded": {
"type": "date"
},
"host": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"risk": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
}
Then reindex your data using this command:
POST index-name/_update_by_query
And then your query can be run like this:
{
"aggs":{
"riskCount":{
"terms":{
"field":"risk.keyword"
}
}
}
}
Upvotes: 1
Related Questions
- Elasticsearch nested query with aggregation using nested term doesn't return any bucket
- elasticsearch terms aggregation incorrect
- Not able to get any results on using bucket aggregations
- Elasticsearch aggregation buckets always showing only 10 results
- Elastic-search missing bucket aggregation
- Elastic search aggregation buckets remain empty
- Elastic always returns 0 buckets on simple aggregations and 0 on nested
- Getting empty buckets array in elasticsearch aggregation
- Term Aggregations in Elasticsearch Returning Buckets for Words Instead of Full Field Values
- Terms aggregation not giving buckets