With filters aggregation, you can create multiple buckets, each with its own specified filter that will cause the documents satisfying that filter to fall into the related bucket. Let's look at an example.
Suppose that we want to create multiple buckets to understand how much of the network traffic was caused by the Chat category. At the same time, we want to understand how much of it was caused by the Skype application, versus other applications in the Chat category. This can be achieved by using filters aggregation, as it allows us to write arbitrary filters to create buckets:
GET bigginsight/_search?size=0
{
"aggs": {
"messages": {
"filters": {
"filters": {
"chat": { "match": { "category": "Chat" }},
"skype": { "match": { "application": "Skype" }},
"other_than_skype": {
"bool": {
"must": {"match": {"category": "Chat"}},
"must_not": {"match": {"application": "Skype"}}
}
}
}
}
}
}
}
We created three filters for the three buckets that we want, as follows:
- Bucket with chat key: Here, we specify the category = Chat filter. Remember that the match query that we have used is a high-level query that understands the mapping of the underlying field. The underlying field category is a keyword field, and hence, the match query looks for the exact term, that is, Chat.
- Bucket with skype key: Here, we specify the application = Skype filter and only include Skype traffic.
- Bucket with other_than_skype key: Here, we use a bool query to filter documents that are in the Chat category, but not Skype.
As you can see, filters aggregation is very powerful when you want custom buckets using different filters. It allows you to take full control of the bucketing process. You can choose your own fields and your own conditions to create the buckets of your choice, in order to segment the data in customized ways.
Next, we will look at how to slice data on a date type column, so that we can slice it into different time intervals.