Hello,
I am having a hard time trying to understand the value and doc_count parameters when performing a query. As you see, in the result query I get two different numbers per "key" : "Access from malicious IP address", same for "key":"6". I don't understand why and would like clarification on the matter. Thank you.
"aggregations" : {
"2" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"key" : "6",
"doc_count" : 283,
"1" : {
"value" : 154
},
"3" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"key" : "malicious IP address",
"doc_count" : 277,
"1" : {
"value" : 148
}
},
{
"key" : "Evasion technique detected",
"doc_count" : 6,
"1" : {
"value" : 6
}
}
]
}
}
]
}
}