Hello, I'm recently introduced to Elasticsearch and currently trying to build a Monitoring application on top of it, at first everything went smoothly as we worked on elastic version 6.5.4, then we decided to move on to elastic 7.17.0 and i got in a bit of a problem using bucket aggregations, In elastic 6.x using this query to search for process metrics collected with Metricbeat runs without a hitch
Query:
{
"aggregations": {
"Agg_By_Field": {
"terms": {
"field": "system.filesystem.device_name",
"size": 10,
"min_doc_count": 1,
"shard_min_doc_count": 0,
"show_term_doc_count_error": false,
"order": [
{
"_count": "desc"
},
{
"_key": "asc"
}
]
}
,
"aggregations": {
"Agg_Function": {
"max": {
"field": "system.filesystem.used.pct"
}
}
}
}
}
}
But when we migrated we faced a problem which we corrected it by adding the .keyword in the aggregated field like so:
{
"aggregations": {
"Agg_By_Field": {
"terms": {
"field": "system.filesystem.device_name.keyword",
"size": 10,
"min_doc_count": 1,
...
}
But even After this we still keep getting values of 0.0 for the sub-aggregation Agg_Function in the returned buckets:
"aggregations": {
"Agg_By_Field": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "/dev/mapper/vg_data-lv_data",
"doc_count": 2686,
"Agg_Function": {
"value": 0.0
}
},
{
"key": "/dev/mapper/vg_system-lv_root",
"doc_count": 2686,
"Agg_Function": {
"value": 0.0
}
},
{
"key": "/dev/mapper/vg_system-lv_tmp",
"doc_count": 2686,
"Agg_Function": {
"value": 0.0
}
},
{
"key": "/dev/mapper/vg_system-lv_var",
"doc_count": 2686,
"Agg_Function": {
"value": 0.0
}
},
{
"key": "/dev/mapper/vg_system-lv_var_log",
"doc_count": 2686,
"Agg_Function": {
"value": 0.0
}
},
{
"key": "/dev/sda1",
"doc_count": 2686,
"Agg_Function": {
"value": 0.0
}
},
{
"key": "gvfsd-fuse",
"doc_count": 2686,
"Agg_Function": {
"value": 0.0
}
}
]
}
}
We tried to search for a solution in the documentations but with no luck, is there something we are missing here ?, If so please help!
And Thank You.
)