Why do I get empty buckets when I aggregate on nested field?

I'm trying to count() the network.protocol field when grouped by network.protocol. So I tried something like this:

GET .ds-packetbeat-8.5.3-2022.12.14-000001/_search
{
  "aggs": {
    "network": {
      "nested": {
        "path": "network"
      },
      "aggs": {
        "protocol": {
          "terms":{
            "field": "network.protocol"
          },
          "aggs": {
            "count": {
              "value_count": {
                "field": "network.protocol"
              }
            }
          }
        }
      }
    }
  }
}

But this gave me empty buckets like this:

{
  ...
    "aggregations": {
    "network": {
      "doc_count": 0,
      "protocol": {
        "doc_count_error_upper_bound": 0,
        "sum_other_doc_count": 0,
        "buckets": []
      }
    }
  }
}

But I know that there are records where network.protocol does have a value because this query returns plenty of results:

GET .ds-packetbeat-8.5.3-2022.12.14-000001/_search
{
  "query" : {
    "match": {
      "network.protocol": "sip"
    }
  }
}

How can I get a count grouped by network.protocol?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.