I am sending http access log to my logstash server, each log has a "path" field which means the URL path after removing hostname. Therefore, "path" can be any string. When it is empty, its value is set to "-".
However, using term aggregation, I can only see non empty paths, logs with "path": "-" doesn't appear in the aggregation result. What could be the reason for this? I am still new to ES.
Is the value actually - or is it null?
Can you post an example document?
@warkolm: the value is exactly "-" as seen in the document returned from elasticsearch
I just found this, It probably has something to do with delimiter: https://www.elastic.co/guide/en/elasticsearch/reference/2.0/analysis-word-delimiter-tokenfilter.html
I'll try to disable them and report here later.