Join query (maps)

Pieter_Agenbag · January 27, 2020, 1:15pm

Hi , I was playing around in the maps section of Kibana , which I havent used before ... and stumbled on the "join" section in the Documents layer. Although I have no specific use for it in terms of maps ... it piqued my interest for other applications.

Upon inspecting the developer console ... I found it submitting the following query

{
  "size": 0,
  "aggs": {
    "join": {
      "terms": {
        "field": "ciClassKey",
        "order": {
          "_count": "desc"
        },
        "size": 10000
      },
      "aggs": {
        "__kbnjoin__max_of_unitCount_groupby_metadata.*.ciClassKey": {
          "max": {
            "field": "unitCount"
          }
        }
      }
    }
  },
  "_source": {
    "excludes": []
  },
  "stored_fields": [
    "*"
  ],
  "script_fields": {},
  "docvalue_fields": [
    {
      "field": "lastdate",
      "format": "date_time"
    }
  ],
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "match_all": {}
        }
      ],
      "should": [],
      "must_not": []
    }
  }
}

I couldnt actually get it to return any rows ...but was wondering if someone had some insight into the join aspect of it. Is it something we can use in normal ES queries ...or does Kibana pre-parse the query to do a separate second query to join the results from the first one on ?

jsanz · January 28, 2020, 2:54pm

just to clarify, you mean you could get results from the maps application in a layer, but running the query manually you didn't get any results?

Nathan_Reese · January 28, 2020, 3:03pm

but was wondering if someone had some insight into the join aspect of it.

Here is some documentation detailing how terms joins work, Term join | Kibana Guide [8.11] | Elastic

Is it something we can use in normal ES queries ...or does Kibana pre-parse the query to do a separate second query to join the results from the first one on ?

The request is just a standard _search terms aggregation request. The results from the terms aggregation are joined with the documents for the layer in the client with logic from Kibana.

Pieter_Agenbag · January 30, 2020, 1:07pm

The request is just a standard _search terms aggregation request. The results from the terms aggregation are joined with the documents for the layer in the client with logic from Kibana.

Thats what I initially thought .. but how does ES handle

"aggs": {
"__kbnjoin__max_of_unitCount_groupby_metadata.*.ciClassKey": {
"max": {
"field": "unitCount"
}
}
}

Thats the field in the >other< index. But I suppose then Kibana parses out the kbnjoin* aggs and creates a second request based on it ... and then joins the results after the fact.

Would be awesome if we could have that kind of functionality IN elasticsearch . I understand scaling concerns .... but would have though it could me mitigated with a "too_many_buckets_exception" type breaker.

system · February 27, 2020, 1:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.