@Mark_Harwood
The aggregation searches are coming from inbuilt alerting functions on the Graylog web client, I am unsure how I would remove the gl2_terms field from the query.
I will let the guys at Graylog know and maybe then can do some further testing and resolve the issue.
Could you advise me on how to run the query directly against Elasticsearch?
Cheers both for your replies,
George