AS title my data index is:"ntopng-2018.01.02" this is my Restful API:
GET ntopng-2018.01.02/_search
{
"size" : 0,
"query": {
"bool": {
"should": [
{
"term":{"IPV4_SRC_ADDR":"120.127.160.91"}
},
{
"term":{"IPV4_DST_ADDR":"120.127.160.91"}
}
],"minimum_should_match": 1,
"must":[
{
"range" : {
"LAST_SWITCHED" : {
"gte" : 1514800209
}
}
}
]
}
},
"aggs": {
"genres":{
"terms" : {
"field" : "L7_PROTO_NAME.keyword"
} ,
"aggs":{
"in_bytes": {
"sum": { "field":"IN_BYTES"}
}
}
}
}
}
and the response:
{
"took": 3,
"timed_out": false,
"_shards": {
"total": 6,
"successful": 6,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 282,
"max_score": 0,
"hits": []
},
"aggregations": {
"genres": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": []
}
}
}
it didn't classify L7_PROTO_NAME, but if I change to another index"logstash-2018.01.02"(the same data type fields), it would return classified data. this is my data:https://gist.github.com/Howard-Chang/808ed0f4c64c528051f284cee3ac0634
thank you in advance 