As much as I understand, if we perform simple (non-nested) aggregation on a nested field, it provides each bucket containing the count of the parent document (document of which this nested field is a property). And not the count of the nested document.
Assuming this : Now I have following mapping :
{
"properties": {
"openPort":{
"type":"nested",
"include_in_parent":true,
"properties":{
"port":{
"type":"integer"
},
"protocol":{
"type":"text",
"fields":{
"keyword":{
"type":"keyword",
"ignore_above":256
}
}
}
}
}
}
}
Now I want to find 1. all the possible combinations of (port,protocol). 2. And the total count of these combinations. 3. Count of outer documents per combination.
Hence, to achieve (1 and 2), following does not give correct result :
{
"aggs" : {
"multi_field_cardinality" : {
"cardinality" : {
"script": {
"inline": "doc['openPort.port'].value + '#' + doc['openPort.protocol.keyword'].value"
},
"precision_threshold":4000
}
},
"multi_field_terms" : {
"terms" : {
"script": {
"inline": "doc['openPort.port'].value + '#' + doc['openPort.protocol.keyword'].value"
},
"size":4000
}
}
}
}
The inaccuracy is that : it does not include the all the combinations of (port,protocol).
But the following nested agg includes all :
{
"aggs" : {
"count_multi-field":{
"nested":{
"path":"openPort"
},
"aggs":{
"multi_field_cardinality" : {
"cardinality" : {
"script": {
"inline": "doc['openPort.port'].value + '#' + doc['openPort.protocol.keyword'].value"
},
"precision_threshold":4000
}
},
"multi_field_terms" : {
"terms" : {
"script": {
"inline": "doc['openPort.port'].value + '#' + doc['openPort.protocol.keyword'].value"
},
"size":1000
}
}
}
}
}
}