I'm trying to count()
the network.protocol
field when grouped by network.protocol
. So I tried something like this:
GET .ds-packetbeat-8.5.3-2022.12.14-000001/_search
{
"aggs": {
"network": {
"nested": {
"path": "network"
},
"aggs": {
"protocol": {
"terms":{
"field": "network.protocol"
},
"aggs": {
"count": {
"value_count": {
"field": "network.protocol"
}
}
}
}
}
}
}
}
But this gave me empty buckets like this:
{
...
"aggregations": {
"network": {
"doc_count": 0,
"protocol": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": []
}
}
}
}
But I know that there are records where network.protocol
does have a value because this query returns plenty of results:
GET .ds-packetbeat-8.5.3-2022.12.14-000001/_search
{
"query" : {
"match": {
"network.protocol": "sip"
}
}
}
How can I get a count grouped by network.protocol
?