0

I have documents of the type

{
  "host-ip": "192.168.0.1",
  "HOST_END_iso": "2016-02-19T09:30:41+01:00"
}

I successfully query ES to get one random entry and an aggregation of host-ip

{
   "query": {
      "match_all": {}
   },
   "size": 1,
   "aggs": {
      "rating": {
         "terms": {
            "field": "host-ip",
            "size": 0,
            "shard_size": 0
         }
      }
   }
}

I now want to filter the results and get the documents between two dates. The query part gets more complicated:

{
   "query": {
      "filtered": {
         "filter": {
            "query": {
               "match_all": {}
            },
            "terms": {
               "range": {
                  "HOST_END_iso": {
                     "gt": "2015-02-19T09:30:41+01:00",
                     "lt": "2016-02-19T09:30:41+01:00"
                  }
               }
            }
         }
      },
      "size": 1
   },
   "aggs": {
      "rating": {
         "terms": {
            "field": "host-ip",
            "size": 0,
            "shard_size": 0
         }
      }
   }
}

There is one record returned, but no aggregations. Why?

Please note that I had to move the size which limits the number of returned elements into the scope of the first query. I do not understand why I need to do that: if I leave it at the same level as query and aggs (like in the first -successful- example), I am not limited anymore to 1 element but I get the default 10 (so size is not taken into account and I still do not get aggs anyway)

Improve this question

1 Answer 1

Reset to default
1

Your query is ill-formed in many places: here is the correct one

{
  "size": 1,
  "query": {
    "filtered": {
      "filter": {
        "range": {
          "HOST_END_iso": {
            "gte": "2015-02-19T09:30:41+01:00",
            "lte": "2016-02-19T09:30:41+01:00"
          }
        }
      }
    }
  },
  "aggs": {
    "rating": {
      "terms": {
        "field": "host-ip",
        "size": 0,
        "shard_size": 0
      }
    }
  }
}

The main issue was the terms/range filter, you need either one but not both.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thank you. After bouncing back and forth in the docs, I ended up -as you mention- mixing up terms and range while they live at the same level in the query.
Cool, glad you figured it out!
I did not figure it out. It is thanks to your answer I understood where I was wrong :)
Ok, then, I'm glad that helped :)

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.