Terms aggregation is breaking field into tokens

harshafrnd4u · March 7, 2016, 10:46am

I am using terms aggregation in elasticsearch something like

"aggs": {
"url": {
"terms": {
"field": "request"
}
}
}

My request field have values like "GET /" or "GET /test.html" . When I execute above query the output has buckets with

"buckets": [
{
"key": "get",
"doc_count": 436830
},
{
"key": "test.html",
"doc_count": 2
}
]

I can see that it broke request field into multiple tokens and made it buckets. How to use aggregation with exact field ? I expect buckets to be "GET /" and "GET /test.html" .Please help

mainec · March 7, 2016, 12:02pm

You probably stored the data in the field you are running the aggregation on in analyzed form. This means that the string stored in this field is split into what Elasticsearch thinks are distinct tokens/words. What you want instead is to store your data as "not_analyzed". For more information see also here:

https://www.elastic.co/guide/en/elasticsearch/guide/current/mapping-intro.html

Hope this helps,
Isabel

Topic		Replies	Views
Terms aggregation for emails list Elasticsearch	6	846	November 15, 2019
Terms aggregation split by coma Elasticsearch aggregations	6	247	March 7, 2024
Aggregation-keywords Elasticsearch	11	6743	January 11, 2019
Terms aggregation ignoring analyzers? Elasticsearch	4	453	June 1, 2018
Strange terms aggregation result: the single document is placed in several buckets if field contains some special symbols Elasticsearch	3	381	July 5, 2017

Terms aggregation is breaking field into tokens

Related topics