elastic 8 search aggs filter on (source.geo.country_iso_code)

Question

Im porting a query from ELK 6 to ELK 8. The field names have changed significantly between these versions. In ELK 6, the field was geoip.country_code2. In ELK8 its changed to source.geo.country_iso_code. But when I try to filter on that field, its not picking anything up. I can dump out the hits, and see the field with values. But my filter doesnt collect them.

I can see hits containing fields like "source":{"geo":{"country_iso_code":"AU"},"address":"123.208.218.163"}

Basically the same filter works in ELK6. So it must be something to do with differences between ELK6 and ELK8

My query is as follows

{
  "query": {
   "bool": {
     "filter":[
       {"range":{"@timestamp":{"gte":"<lower>","lt":"<upper>"}}}
      ],
      "must": [
        {"match": {"http.response.status_code":"200"}},
        {"match": {"vhost":"<vhost>"}}
      ]
   }
  },
  "_source" ["url.original","vhost","@timestamp","http.response.body.bytes","source.address","source.geo.country_iso_code"],
  "size": 0,
  "aggs": {
    "AU": {
      "filter": {
        "term": { "source.geo.country_iso_code": "AU"}
      },
      "aggs": { 
        "sum_bytes": { "sum": {"field": "http.response.body.bytes"}},
        "ip_count": { "cardinality": { "field": "source.address" }}
      }
    },
    "int": {
      "filter": { 
        "bool": { "must_not": { "term": { "source.geo.country_iso_code": "AU" }}}
      },
      "aggs": {
        "sum_bytes": { "sum": {"field": "http.response.body.bytes"}},
        "ip_count": { "cardinality": { "field": "source.address" }}
      }
    }
  }
}

But everything ends up in the int bucket. With nothing in the AU bucket.

Answer 1

OK, someones pointed me to the solution. Apparently I cant filter on text fields directly. I have to use the keyword subfield. So source.geo.country_iso_code.keyword.

This is mentioned in the documentation on terms aggregations. Whereas this is a filter aggregation. But apparently the same thing applies.