Value and doc_count difference

victor3443 · April 1, 2019, 8:39am

Hello,

I am having a hard time trying to understand the value and doc_count parameters when performing a query. As you see, in the result query I get two different numbers per "key" : "Access from malicious IP address", same for "key":"6". I don't understand why and would like clarification on the matter. Thank you.

  "aggregations" : {
    "2" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : "6",
          "doc_count" : 283,
          "1" : {
            "value" : 154
          },
          "3" : {
            "doc_count_error_upper_bound" : 0,
            "sum_other_doc_count" : 0,
            "buckets" : [
              {
                "key" : "malicious IP address",
                "doc_count" : 277,
                "1" : {
                  "value" : 148
                }
              },
              {
                "key" : "Evasion technique detected",
                "doc_count" : 6,
                "1" : {
                  "value" : 6
                }
              }
            ]
          }
        }
      ]
    }
  }

system · April 29, 2019, 8:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Understanding doc_count_error_upper_bound Elasticsearch	1	6237	February 28, 2018
Elasticsearch top_hits aggregation result and doc_count are different Elasticsearch	3	396	February 20, 2022
Count and Stats api showing different doc's count in Elasticsearch? Elasticsearch	3	1863	August 2, 2017
Simple aggregation on a field for more than one value Elasticsearch	1	398	May 31, 2020
Different aggregation count for the same value Elasticsearch	1	306	March 2, 2023

Value and doc_count difference

Related Topics