Join query (maps)

Elastic Stack Kibana
1

Hi , I was playing around in the maps section of Kibana , which I havent used before ... and stumbled on the "join" section in the Documents layer. Although I have no specific use for it in terms of maps ... it piqued my interest for other applications.

Upon inspecting the developer console ... I found it submitting the following query

{
  "size": 0,
  "aggs": {
    "join": {
      "terms": {
        "field": "ciClassKey",
        "order": {
          "_count": "desc"
        },
        "size": 10000
      },
      "aggs": {
        "__kbnjoin__max_of_unitCount_groupby_metadata.*.ciClassKey": {
          "max": {
            "field": "unitCount"
          }
        }
      }
    }
  },
  "_source": {
    "excludes": []
  },
  "stored_fields": [
    "*"
  ],
  "script_fields": {},
  "docvalue_fields": [
    {
      "field": "lastdate",
      "format": "date_time"
    }
  ],
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "match_all": {}
        }
      ],
      "should": [],
      "must_not": []
    }
  }
}

I couldnt actually get it to return any rows ...but was wondering if someone had some insight into the join aspect of it. Is it something we can use in normal ES queries ...or does Kibana pre-parse the query to do a separate second query to join the results from the first one on ?

2

just to clarify, you mean you could get results from the maps application in a layer, but running the query manually you didn't get any results?

3

but was wondering if someone had some insight into the join aspect of it.

Here is some documentation detailing how terms joins work, Term join | Kibana Guide [8.11] | Elastic

Is it something we can use in normal ES queries ...or does Kibana pre-parse the query to do a separate second query to join the results from the first one on ?

The request is just a standard _search terms aggregation request. The results from the terms aggregation are joined with the documents for the layer in the client with logic from Kibana.

4

The request is just a standard _search terms aggregation request. The results from the terms aggregation are joined with the documents for the layer in the client with logic from Kibana.

Thats what I initially thought .. but how does ES handle

"aggs": {
"__kbnjoin__max_of_unitCount_groupby_metadata.*.ciClassKey": {
"max": {
"field": "unitCount"
}
}
}

Thats the field in the >other< index. But I suppose then Kibana parses out the kbnjoin* aggs and creates a second request based on it ... and then joins the results after the fact.

Would be awesome if we could have that kind of functionality IN elasticsearch . I understand scaling concerns .... but would have though it could me mitigated with a "too_many_buckets_exception" type breaker.