I'm trying to create a visualization in Kibana where I display the data from my Elasticsearch index in a data table format. However, when I select the "Terms" aggregation, the "violation_list" field does not appear. My goal is to display the "key" field under a column labeled "Value" and the "doc_count" field under a column labeled "Count". How can I achieve this?
Index Mapping;
{
"properties": {
"@timestamp": {
"format": "strict_date_optional_time||epoch_millis||yyyy-MM-DD HH:mm:ssz",
"index": true,
"ignore_malformed": false,
"store": false,
"type": "date",
"doc_values": true
},
"app_log_id": {
"type": "keyword"
},
"app_name": {
"type": "keyword"
},
"violation_list": {
"type": "nested",
"properties": {
"type": {
"type": "keyword"
},
"value": {
"type": "keyword"
}
}
}
}
}
Query;
POST /xxx/_search
{
"size": 0,
"aggs": {
"violation_counts": {
"nested": {
"path": "violation_list"
},
"aggs": {
"violation_values": {
"terms": {
"field": "violation_list.value",
"size": 100
}
}
}
}
}
}
Response;
{
"took": 550,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 9539,
"relation": "eq"
},
"max_score": null,
"hits": []
},
"aggregations": {
"violation_counts": {
"doc_count": 9751,
"violation_values": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 13,
"buckets": [
{
"key": "Bertug",
"doc_count": 2610
},
{
"key": "Mete",
"doc_count": 1510
}
// Other buckets...
]
}
}
}
}