When performing this Query:
GET /dnslog/doc/_search
{
"size" : 0,
"aggs": {
"Actions": {
"terms": {
"field": "Action.keyword",
"size": 30
}
}
}
} I get this result on my local deployment:
{
"took": 1,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 21,
"max_score": 0,
"hits": []
},
"aggregations": {
"Actions": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "IN A",
"doc_count": 7
},
{
"key": "IN SRV",
"doc_count": 5
},
{
"key": "IN AAAA",
"doc_count": 4
},
{
"key": "IN SOA",
"doc_count": 3
},
{
"key": "IN IXFR",
"doc_count": 1
},
{
"key": "IN TXT",
"doc_count": 1
}
]
}
}
}which is what i want.
but performed on my server i get this:
{
"_shards" : {
"successful" : 5,
"failed" : 0,
"total" : 5
},
"timed_out" : false,
"took" : 55,
"aggregations" : {
"Actions" : {
"buckets" : [],
"sum_other_doc_count" : 0,
"doc_count_error_upper_bound" : 0
}
},
"hits" : {
"hits" : [],
"max_score" : 0,
"total" : 246648
}
}removing the .keyword gives me this:
{
"aggregations" : {
"Actions" : {
"sum_other_doc_count" : 0,
"doc_count_error_upper_bound" : 0,
"buckets" : [
{
"key" : "in",
"doc_count" : 170675
},
{
"key" : "a",
"doc_count" : 122391
},
{
"doc_count" : 39935,
"key" : "aaaa"
},
{
"key" : "mx",
"doc_count" : 3598
},
{
"doc_count" : 2055,
"key" : "txt"
},
{
"doc_count" : 1123,
"key" : "srv"
},
{
"key" : "soa",
"doc_count" : 920
},
{
"doc_count" : 533,
"key" : "ns"
},
{
"key" : "naptr",
"doc_count" : 81
},
{
"key" : "ixfr",
"doc_count" : 26
},
{
"key" : "nsec",
"doc_count" : 6
},
{
"key" : "spf",
"doc_count" : 5
},
{
"key" : "any",
"doc_count" : 2
}
]
}
},
"hits" : {
"hits" : [],
"max_score" : 0,
"total" : 170675
},
"timed_out" : false,
"_shards" : {
"failed" : 0,
"successful" : 5,
"total" : 5
},
"took" : 209
}Ho do I get my Server deployment to behave like my local deployment?