App logs are stored on logz.io I'm trying to aggregate the error logs from my app, for each version, I would like to aggregate the error messsages. I tried using a sub aggregate query:
curl -X POST https://api.logz.io/v1/search \
-H 'Content-Type: application/json' \
-H 'X-API-TOKEN: xxxxxxxxxx' \
-d '{
"query": {
"bool": {
"must": [
{
"range": {"@timestamp": { "gte": "now-2w", "lte": "now"}}
}
],
"filter": [{"terms": {"log_level": ["ERROR","CRITICAL","FATAL"]}}]
}
},
"size": 0,
"aggs": {
"app_version_agg": {
"terms": {
"field": "app_version",
"size": 1000
},
"aggs": {
"error_message_agg": {
"terms": {
"field": "error_message",
"size": 1000
}
}
}
}
}
}'
but I get this error:
{"errorCode":"LogzElasticsearchAPI/INVALID_QUERY","message":"This search can't be executed: [Bad Request]. Please contact customer support for more details","requestId":"xxxx","parameters":{"reason":"Bad Request"}}
I will note that when I use multiple aggregations on same level, I do get results, (but results are separate aggregations and not aggregation according to a few fields)
curl -X POST https://api.logz.io/v1/search \
-H 'Content-Type: application/json' \
-H 'X-API-TOKEN: xxxxxxxxxx' \
-d '{
"query": {
"bool": {
"must": [
{
"range": {"@timestamp": { "gte": "now-2w", "lte": "now"}}
}
],
"filter": [{"terms": {"log_level": ["ERROR","CRITICAL","FATAL"]}}]
}
},
"size": 0,
"aggs": {
"app_version_agg": {
"terms": {
"field": "app_version",
"size": 1000
}
},
"error_message_agg": {
"terms": {
"field": "error_message",
"size": 1000
}
}
}
}'
According to the Logz.io documentation for the search endpoint, there's a limitation for aggregations:
Can't nest 2 or more bucket aggregations of these types: date_histogram, geohash_grid, histogram, ip_ranges, significant_terms, terms
So that probably explains the issue you're encountering.