Is "ip_range" a real bucket aggregation?

I'm getting a weird error when running the following ip_range aggs with a buckets_path:

GET ecs-net-7*/_search
{
  "size": 0,
  "aggs": {
    "1-bucket": {
      "ip_range": {
        "field": "destination.ip",
        "ranges": [
          {
            "mask": "192.168.0.0/16"
          },
          {
            "mask": "10.10.0.0/16"
          }
        ],
        "keyed": false
      }, 
      "aggs": {
        "1-metric": {
          "sum": {
            "field": "source.bytes"
          }
        }
      }
    },
    "1": {
      "sum_bucket": {
        "buckets_path": "1-bucket>1-metric"
      }
    }
  }
}

ERROR

{
  "error": {
    "root_cause": [
      {
        "type": "illegal_argument_exception",
        "reason": "The first aggregation in buckets_path must be a multi-bucket aggregation for aggregation [1] found :org.elasticsearch.search.aggregations.bucket.range.IpRangeAggregationBuilder for buckets path: 1-bucket>1-metric"
      }

ip_range is a multi-bucket aggregation, isn't it?

The filters aggregation with the following values, works just fine:

        "filters": [
          {
            "match": {
              "destination.ip": "192.168.0.0/16"
            }
          },
          {
            "match": {
              "destination.ip": "10.10.0.0/16"
            }
          }
        ]

So, the question: why the filters agg does produce "good" buckets, and the ip_range agg does not?
Thanks!

does make sense to open a Github ticket?

I don't know. What do you think @jimczi @jpountz?

Yes this looks like a bug, please open a Github ticket.

1 Like