Deep Aggregation Support

Robert_George · May 14, 2018, 10:34am

Hi.

I do have a question.

Does elasticsearch support deep aggregations? (nested aggregation in nested aggregation). To make agg of a nested object inside a nested object. Specifically to count docs.
If so, please give me an example.

Thank you very much.

Mark_Harwood · May 14, 2018, 11:17am

"Nested" can be a reserved word in elasticsearch. Do you mean in the formal sense of nested field types and the nested type of aggregation or the more general sense of nesting JSON expressions?

Robert_George · May 14, 2018, 11:36am

Let me give an example:
Suppose you have a ES document like this:
{
IP:[{
Address: ip,
geoip: {
Country: string
}
},
{...}]
}
Both geoip and IP are nested objects

I want to count the ips (from the array field of nested objects IP), based on their country.
USA: 5
Great Britain:2

Is this doable?
Thank you.

Mark_Harwood · May 14, 2018, 12:30pm

Example mapping docs and query:

DELETE test
PUT test
{
  "mappings":{
	"doc":{
	  "properties": {
		"IP":{
		  "type":"nested",
		  "properties": {
			"address":{
			  "type":"ip"
			},
			"country":{
			  "type":"keyword"
			}
		  }
		}
	  }
	}
  }
}
POST test/doc/_bulk
{"index":{}}
{"IP":[ {"address":["1.1.1.1","1.1.1.2"], "country":"c1"}]}
{"index":{}}
{"IP":[ {"address":["2.2.2.2"], "country":"c2"}]}

POST test/_search
{
  "size":0,
  "aggs": {
	"byCountry": {
	  "nested": {
		"path": "IP"
	  },
	  "aggs": {
		"country": {
		  "terms": {
			"field": "IP.country"
		  },
		  "aggs":{
			"ipCount":{
			  "cardinality":{
				"field":"IP.address"
			  }
			}
		  }
		}
	  }
	}
  }
}

Robert_George · May 14, 2018, 12:48pm

Thank you for this reply but the IP nested object that has an geoip nested object that contains country keywork, like this:

 DELETE test
        PUT test
        {
          "mappings":{
        	"doc":{
        	  "properties": {
        		"IP":{
        		  "type":"nested",
        		  "properties": {
        			"address":{
        			       "type":"ip"
        			},
        			"geoip":{
        			   "type":"nested",
        		           "properties": {
        			       "country":{
        			              "type":"keyword"
        			          }
        		            }
        			}
        		  }
        		}
        	  }
        	}
          }
        }

Robert_George · May 14, 2018, 12:59pm

I have this mapping because of geoip plugin, which makes a geoip nested object.

Or is there a way to make geoip plugin not to make a geoip nested object and instead to include the fields like you did there?

Mark_Harwood · May 14, 2018, 1:12pm

I'm not familiar with the format of the geoip plugin but you can use an ingest pipeline to manipulate JSON prior to indexing where required.

Robert_George · May 14, 2018, 1:17pm

Ok. Thank you

Robert_George · May 14, 2018, 1:36pm

Could you give me an example of using 2 pipelines in a row? Like these 2: geoip and ingest
I am writting querries with kibana directly for ES.

Thank you for your help

Mark_Harwood · May 14, 2018, 1:42pm

My understanding is a single pipeline can include multiple processors and the geoip plugin describes itself as a processor so should be configurable as one of a sequence of processors in a pipeline.

Robert_George · May 14, 2018, 1:43pm

Thank you. That's all.

system · June 11, 2018, 1:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Get total number of matched nested objects present in a elastcsearch index Elasticsearch	2	208	April 25, 2023
How to aggregate a deep nested document - built with recursion Elasticsearch	2	377	May 9, 2019
Counting unique root objects on nested aggregations Elasticsearch	2	1373	July 6, 2017
How to get nested inner objects total count in elasticsearch query Elasticsearch	3	11064	February 20, 2019
Count of nested documents by aggregation Elasticsearch	1	355	August 20, 2020

Deep Aggregation Support

Related topics