DSL Aggregations: How to get results, even if one of the aggs field is not present?

kelk · November 13, 2020, 3:07pm

We have to do aggregations for
host.os.name, host.name, host.ip

99% data has host.os.name
95% has host.name
25% has host.ip

How to ensure I get all the results, even if the field is not present?

So i'm looking for a table like

| host.os  |host.name   |  host.ip | count|
|---|---|---|--|
|linux   | mylinuxhost1  |   172.2.3.4|20|
|linux   | mylinuxhost2  |   NULL|10|
| windows  |  winhost1 | 12.2.3.4  |100|
| windows  |  winhost1 | NULL  |5|

I was just doing like below, the output gives me ONLY if all the fields are present

           "aggs": {
             ....
                "group_by_name": {
                    "terms": {
                        "field": "host.name.keyword"
                    },
                    "aggs": {
                      "group_by_ip": {
                          "terms": {
                              "field": "host.ip.keyword"
                          }, ....

warkolm · November 17, 2020, 11:17pm

Have you seen https://www.elastic.co/guide/en/elasticsearch/reference/7.10/search-aggregations-bucket-terms-aggregation.html#_missing_value_5, it might help?

system · December 15, 2020, 11:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
DSL query aggregation question Elasticsearch	1	266	August 25, 2020
_field_names aggregation with sub-aggregation Elasticsearch	3	1078	July 5, 2017
Terms aggregation returns no buckets if some records are missing the field? Elasticsearch	6	2512	July 6, 2017
Return Selected Fields from DSL Aggregation Elasticsearch	1	252	June 3, 2022
Group by "field" OR group by missing "field" Elasticsearch	3	1701	July 5, 2017

DSL Aggregations: How to get results, even if one of the aggs field is not present?

Related topics