Sub-aggregations in bucket Aggregation's Terms return 0 as Value

Draken · April 22, 2022, 4:48pm

Hello, I'm recently introduced to Elasticsearch and currently trying to build a Monitoring application on top of it, at first everything went smoothly as we worked on elastic version 6.5.4, then we decided to move on to elastic 7.17.0 and i got in a bit of a problem using bucket aggregations, In elastic 6.x using this query to search for process metrics collected with Metricbeat runs without a hitch

Query:

{
    "aggregations": {
        "Agg_By_Field": {
            "terms": {
                "field": "system.filesystem.device_name",
                "size": 10,
                "min_doc_count": 1,
                "shard_min_doc_count": 0,
                "show_term_doc_count_error": false,
                "order": [
                    {
                        "_count": "desc"
                    },
                    {
                        "_key": "asc"
                    }
                ]
            }
            ,
            "aggregations": {
                "Agg_Function": {
                    "max": {
                        "field": "system.filesystem.used.pct"
                    }
                }
            }
        }
    }
}

But when we migrated we faced a problem which we corrected it by adding the .keyword in the aggregated field like so:

{
    "aggregations": {
        "Agg_By_Field": {
            "terms": {
                "field": "system.filesystem.device_name.keyword",
                "size": 10,
                "min_doc_count": 1, 
                ...
}

But even After this we still keep getting values of 0.0 for the sub-aggregation Agg_Function in the returned buckets:

"aggregations": {
        "Agg_By_Field": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
                {
                    "key": "/dev/mapper/vg_data-lv_data",
                    "doc_count": 2686,
                    "Agg_Function": {
                        "value": 0.0
                    }
                },
                {
                    "key": "/dev/mapper/vg_system-lv_root",
                    "doc_count": 2686,
                    "Agg_Function": {
                        "value": 0.0
                    }
                },
                {
                    "key": "/dev/mapper/vg_system-lv_tmp",
                    "doc_count": 2686,
                    "Agg_Function": {
                        "value": 0.0
                    }
                },
                {
                    "key": "/dev/mapper/vg_system-lv_var",
                    "doc_count": 2686,
                    "Agg_Function": {
                        "value": 0.0
                    }
                },
                {
                    "key": "/dev/mapper/vg_system-lv_var_log",
                    "doc_count": 2686,
                    "Agg_Function": {
                        "value": 0.0
                    }
                },
                {
                    "key": "/dev/sda1",
                    "doc_count": 2686,
                    "Agg_Function": {
                        "value": 0.0
                    }
                },
                {
                    "key": "gvfsd-fuse",
                    "doc_count": 2686,
                    "Agg_Function": {
                        "value": 0.0
                    }
                }
            ]
        }
    }

We tried to search for a solution in the documentations but with no luck, is there something we are missing here ?, If so please help!

And Thank You.

RabBit_BR · April 23, 2022, 3:21pm

Hi.
It's possible send a exemple of document?

Draken · April 23, 2022, 7:02pm

Yes sure here you go :

"hits": [
    {
        "_index": "filesystem_metrics",
        "_type": "_doc",
        "_id": "O24iTYABY_MEpI0ECRj0",
        "_score": 1.0,
        "_source": {
            "@timestamp": "2022-04-21T17:18:37.080Z",
            "event": {
                "duration": 413919,
                "dataset": "system.filesystem",
                "module": "system"
            },
            "metricset": {
                "name": "filesystem",
                "period": 60000
            },
            "service": {
                "type": "system"
            },
            "ecs": {
                "version": "1.12.0"
            },
            "host": {
                "name": "vm-prd-dev2.device.com"
            },
            "agent": {
                "id": "49b47764-000c-4975-8398-2509c20af3d5",
                "name": "vm-prd-dev2.device.com",
                "type": "metricbeat",
                "version": "7.17.0",
                "hostname": "vm-prd-dev2.device.com",
                "ephemeral_id": "118bd4eb-9731-4c51-8056-9418e0ba2f06"
            },
            "system": {
                "filesystem": {
                    "files": 0,
                    "type": "fuse.gvfsd-fuse",
                    "mount_point": "/run/user/1000/gvfs",
                    "total": 0,
                    "free": 0,
                    "used": {
                        "pct": 0,
                        "bytes": 0
                    },
                    "available": 0,
                    "free_files": 0,
                    "device_name": "gvfsd-fuse"
                }
            }
        }
    },
    {
        "_index": "filesystem_metrics",
        "_type": "_doc",
        "_id": "PG4iTYABY_MEpI0ECRj0",
        "_score": 1.0,
        "_source": {
            "@timestamp": "2022-04-21T17:18:37.080Z",
            "event": {
                "dataset": "system.filesystem",
                "module": "system",
                "duration": 443981
            },
            "metricset": {
                "name": "filesystem",
                "period": 60000
            },
            "service": {
                "type": "system"
            },
            "system": {
                "filesystem": {
                    "total": 2136997888,
                    "free": 2068807680,
                    "mount_point": "/var/log/audit",
                    "used": {
                        "bytes": 68190208,
                        "pct": 0.0319
                    },
                    "files": 1048576,
                    "device_name": "/dev/mapper/vg_system-lv_var_log_audit",
                    "available": 2068807680,
                    "free_files": 1048568,
                    "type": "xfs"
                }
            },
            "ecs": {
                "version": "1.12.0"
            },
            "host": {
                "name": "vm-prd-dev2.device.com"
            },
            "agent": {
                "id": "49b47764-000c-4975-8398-2509c20af3d5",
                "name": "vm-prd-dev2.device.com",
                "type": "metricbeat",
                "version": "7.17.0",
                "hostname": "vm-prd-dev2.device.com",
                "ephemeral_id": "118bd4eb-9731-4c51-8056-9418e0ba2f06"
            }
        }
    },
    {
        "_index": "filesystem_metrics",
        "_type": "_doc",
        "_id": "PW4iTYABY_MEpI0ECRj0",
        "_score": 1.0,
        "_source": {
            "@timestamp": "2022-04-21T17:18:37.080Z",
            "metricset": {
                "name": "filesystem",
                "period": 60000
            },
            "ecs": {
                "version": "1.12.0"
            },
            "host": {
                "name": "vm-prd-dev2.device.com"
            },
            "agent": {
                "type": "metricbeat",
                "version": "7.17.0",
                "hostname": "vm-prd-dev2.device.com",
                "ephemeral_id": "118bd4eb-9731-4c51-8056-9418e0ba2f06",
                "id": "49b47764-000c-4975-8398-2509c20af3d5",
                "name": "vm-prd-dev2.device.com"
            },
            "service": {
                "type": "system"
            },
            "system": {
                "filesystem": {
                    "device_name": "/dev/sda1",
                    "total": 520785920,
                    "used": {
                        "pct": 0.3267,
                        "bytes": 170131456
                    },
                    "free_files": 255675,
                    "type": "xfs",
                    "mount_point": "/boot",
                    "free": 350654464,
                    "files": 256000,
                    "available": 350654464
                }
            },
            "event": {
                "duration": 451878,
                "dataset": "system.filesystem",
                "module": "system"
            }
        }
    },
    {
        "_index": "filesystem_metrics",
        "_type": "_doc",
        "_id": "Pm4iTYABY_MEpI0ECRj0",
        "_score": 1.0,
        "_source": {
            "@timestamp": "2022-04-21T17:18:37.080Z",
            "ecs": {
                "version": "1.12.0"
            },
            "host": {
                "name": "vm-prd-dev2.device.com"
            },
            "system": {
                "filesystem": {
                    "free": 69292654592,
                    "device_name": "/dev/mapper/vg_data-lv_data",
                    "mount_point": "/opt",
                    "free_files": 100637421,
                    "type": "xfs",
                    "available": 69292654592,
                    "used": {
                        "pct": 0.6773,
                        "bytes": 145417965568
                    },
                    "files": 104849408,
                    "total": 214710620160
                }
            },
            "event": {
                "duration": 501946,
                "dataset": "system.filesystem",
                "module": "system"
            },
            "metricset": {
                "name": "filesystem",
                "period": 60000
            },
            "service": {
                "type": "system"
            },
            "agent": {
                "ephemeral_id": "118bd4eb-9731-4c51-8056-9418e0ba2f06",
                "id": "49b47764-000c-4975-8398-2509c20af3d5",
                "name": "vm-prd-dev2.device.com",
                "type": "metricbeat",
                "version": "7.17.0",
                "hostname": "vm-prd-dev2.device.com"
            }
        }
    },
    {
        "_index": "filesystem_metrics",
        "_type": "_doc",
        "_id": "P24iTYABY_MEpI0ECRj0",
        "_score": 1.0,
        "_source": {
            "@timestamp": "2022-04-21T17:18:37.080Z",
            "event": {
                "dataset": "system.filesystem",
                "module": "system",
                "duration": 509927
            },
            "metricset": {
                "name": "filesystem",
                "period": 60000
            },
            "service": {
                "type": "system"
            },
            "system": {
                "filesystem": {
                    "free_files": 20389011,
                    "device_name": "/dev/mapper/vg_system-lv_root",
                    "mount_point": "/",
                    "type": "xfs",
                    "free": 17981685760,
                    "used": {
                        "bytes": 24424824832,
                        "pct": 0.576
                    },
                    "available": 17981685760,
                    "files": 20711424,
                    "total": 42406510592
                }
            },
            "ecs": {
                "version": "1.12.0"
            },
            "host": {
                "name": "vm-prd-dev2.device.com"
            },
            "agent": {
                "hostname": "vm-prd-dev2.device.com",
                "ephemeral_id": "118bd4eb-9731-4c51-8056-9418e0ba2f06",
                "id": "49b47764-000c-4975-8398-2509c20af3d5",
                "name": "vm-prd-dev2.device.com",
                "type": "metricbeat",
                "version": "7.17.0"
            }
        }
    },
    {
        "_index": "filesystem_metrics",
        "_type": "_doc",
        "_id": "QG4iTYABY_MEpI0ECRj0",
        "_score": 1.0,
        "_source": {
            "@timestamp": "2022-04-21T17:18:37.080Z",
            "host": {
                "name": "vm-prd-dev2.device.com"
            },
            "event": {
                "dataset": "system.filesystem",
                "module": "system",
                "duration": 516403
            },
            "metricset": {
                "period": 60000,
                "name": "filesystem"
            },
            "service": {
                "type": "system"
            },
            "system": {
                "filesystem": {
                    "free_files": 1572759,
                    "total": 3210739712,
                    "type": "xfs",
                    "device_name": "/dev/mapper/vg_system-lv_tmp",
                    "mount_point": "/tmp",
                    "free": 3152244736,
                    "available": 3152244736,
                    "used": {
                        "pct": 0.0182,
                        "bytes": 58494976
                    },
                    "files": 1572864
                }
            },
            "agent": {
                "version": "7.17.0",
                "hostname": "vm-prd-dev2.device.com",
                "ephemeral_id": "118bd4eb-9731-4c51-8056-9418e0ba2f06",
                "id": "49b47764-000c-4975-8398-2509c20af3d5",
                "name": "vm-prd-dev2.device.com",
                "type": "metricbeat"
            },
            "ecs": {
                "version": "1.12.0"
            }
        }
    },
    {
        "_index": "filesystem_metrics",
        "_type": "_doc",
        "_id": "QW4iTYABY_MEpI0ECRj0",
        "_score": 1.0,
        "_source": {
            "@timestamp": "2022-04-21T17:18:37.080Z",
            "host": {
                "name": "vm-prd-dev2.device.com"
            },
            "agent": {
                "type": "metricbeat",
                "version": "7.17.0",
                "hostname": "vm-prd-dev2.device.com",
                "ephemeral_id": "118bd4eb-9731-4c51-8056-9418e0ba2f06",
                "id": "49b47764-000c-4975-8398-2509c20af3d5",
                "name": "vm-prd-dev2.device.com"
            },
            "event": {
                "dataset": "system.filesystem",
                "module": "system",
                "duration": 573449
            },
            "metricset": {
                "name": "filesystem",
                "period": 60000
            },
            "service": {
                "type": "system"
            },
            "system": {
                "filesystem": {
                    "device_name": "/dev/mapper/vg_system-lv_var",
                    "free_files": 5142327,
                    "mount_point": "/var",
                    "available": 2657853440,
                    "free": 2657853440,
                    "used": {
                        "pct": 0.7522,
                        "bytes": 8069079040
                    },
                    "type": "xfs",
                    "files": 5242880,
                    "total": 10726932480
                }
            },
            "ecs": {
                "version": "1.12.0"
            }
        }
    }
    ...
]

And just recently we figured out that the type of the field in the sub-aggregation is of type long as in Elastic 6.x it was of type scaled_float

# Elasticsearch 7.17.0
"used": {
                  "properties": {
                    "bytes": {
                      "type": "long"
                    },
                    "pct": {
                      "type": "long"
                    }
                  }
}
# Elasticsearch 6.5.4
"used": {
                    "properties": {
                      "bytes": {
                        "type": "long"
                      },
                      "pct": {
                        "type": "scaled_float",
                        "scaling_factor": 1000.0
                      }
                    }
}

I don't know if this has something to do with it or not ?

system · April 23, 2022, 7:02pm

Elasticsearch 6.5 is EOL and no longer supported. Please upgrade ASAP.

(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns )

RabBit_BR · April 23, 2022, 8:12pm

Try mapping field with type double:

 "used": {
                "properties": {
                  "bytes": {
                    "type": "long"
                  },
                  "pct": {
                    "type": "double"
                  }
                }
              }

Draken · April 24, 2022, 1:28am

Yes that worked fine, thank you for your help!

system · May 22, 2022, 1:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Returning bucket with 0 count in terms aggregation Elasticsearch	7	14258	July 11, 2017
Empty Buckets in Terms Aggregation when using .keyword Elasticsearch	4	1975	May 26, 2018
_field_names aggregation with sub-aggregation Elasticsearch	3	1078	July 5, 2017
Aggregations return result with sum_other_doc_count Elasticsearch	3	11410	July 5, 2017
When are “buckets”: [] in an aggregation? Elasticsearch	1	343	April 4, 2018

Sub-aggregations in bucket Aggregation's Terms return 0 as Value

Related topics