Expected [START_OBJECT] under [fields], but got a [START_ARRAY] in [statistics]

Question

I have the next error: Expected [START_OBJECT] under [fields], but got a [START_ARRAY] in [statistics]

The elasticsearch query:

body={"query":{"bool":{"must":[{"range":{"@timestamp":{"lte":"2022-03-24T09:25:15.000-03:00","gte":"2022-03-23T09:25:15.000-03:00"}}},{"match":{"type.keyword":"TABLE"}},{"match":{"HOSTNAME.keyword": "EQUIPO"}}],}},"aggs":{"statistics":{"fields":["COLUMN1","COLUMN2"]}}}

I expected to get correlation statistics between COLUMN1 and COLUMN2

Answer 1

Your JSON is malformed. there is unnecessary comma(,) after the match array as mentioned by Amit.

Alos, your correlation aggregation query is not correct. you are missing matrix_stats in aggregation body. You need to give aggregation like below:

{
  "aggs": {
    "statistics": {
      "matrix_stats": {
        "fields": [ "COLUMN1", "COLUMN2" ]
      }
    }
  }
}

Answer 2

Your JSON is malformed, there is unnecessary comma(,) after the match array.

Correct JSON for your query is

{
    "query": {
        "bool": {
            "must": [
                {
                    "range": {
                        "@timestamp": {
                            "lte": "2022-03-24T09:25:15.000-03:00",
                            "gte": "2022-03-23T09:25:15.000-03:00"
                        }
                    }
                },
                {
                    "match": {
                        "type.keyword": "TABLE"
                    }
                },
                {
                    "match": {
                        "HOSTNAME.keyword": "EQUIPO"
                    }
                }
            ]
        }
    },
    "aggs": {
        "statistics": {
            "fields": [
                "COLUMN1",
                "COLUMN2"
            ]
        }
    }
}