Filters Aggregation

edit

Defines a multi bucket aggregations where each bucket is associated with a filter. Each bucket will collect all documents that match its associated filter.

Example:

{
  "aggs" : {
    "messages" : {
      "filters" : {
        "filters" : {
          "errors" :   { "term" : { "body" : "error"   }},
          "warnings" : { "term" : { "body" : "warning" }}
        }
      },
      "aggs" : {
        "monthly" : {
          "histogram" : {
            "field" : "timestamp",
            "interval" : "1M"
          }
        }
      }
    }
  }
}

In the above example, we analyze log messages. The aggregation will build two collection (buckets) of log messages - one for all those containing an error, and another for all those containing a warning. And for each of these buckets it will break them down by month.

Response:

...
  "aggs" : {
    "messages" : {
      "buckets" : {
        "errors" : {
          "doc_count" : 34,
            "monthly" : {
              "buckets" : [
                ... // the histogram monthly breakdown
              ]
            }
          },
          "warnings" : {
            "doc_count" : 439,
            "monthly" : {
              "buckets" : [
                 ... // the histogram monthly breakdown
              ]
            }
          }
        }
      }
    }
  }
...

Anonymous filters

edit

The filters field can also be provided as an array of filters, as in the following request:

{
  "aggs" : {
    "messages" : {
      "filters" : {
        "filters" : [
          { "term" : { "body" : "error"   }},
          { "term" : { "body" : "warning" }}
        ]
      },
      "aggs" : {
        "monthly" : {
          "histogram" : {
            "field" : "timestamp",
            "interval" : "1M"
          }
        }
      }
    }
  }
}

The filtered buckets are returned in the same order as provided in the request. The response for this example would be:

...
  "aggs" : {
    "messages" : {
      "buckets" : [
        {
          "doc_count" : 34,
          "monthly" : {
            "buckets : [
              ... // the histogram monthly breakdown
            ]
          }
        },
        {
          "doc_count" : 439,
          "monthly" : {
            "buckets" : [
              ... // the histogram monthly breakdown
            ]
          }
        }
      ]
    }
  }
...