Briefly, this error occurs when Elasticsearch is trying to retrieve data from a specific range (from-to) or count documents (doccount) but the key or field specified doesn’t exist or is incorrect. To resolve this, ensure that the field you’re querying exists in your index. If it does, check for typos or case sensitivity issues in your query. Also, verify that your data type matches the query type. For instance, you can’t use a range query on a text field. Lastly, if you’re using an aggregation, ensure that the field you’re aggregating on is not analyzed.
This guide will help you check for common problems that cause the log ” Key [{}]; from [{}]; to [{}]; doc_count [{}] ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: aggregations.
Aggregation in Elasticsearch
Overview
In Elasticsearch an aggregation is a collection or the gathering of related things together. The aggregation framework collects all the data based on the documents that match a search request which helps in building summaries of the data. Unlike Elasticsearch facets, aggregations can be nested. So aggregations can have sub-aggregations that operated on the documents which are generated by parent aggregation. Below are the different types of aggregations, each aggregation has its own purpose:
Metrics Aggregations: Metric Aggregation mainly refers to the mathematical calculations performed on the documents present in the bucket based upon given search criteria. For example, if you choose a number field; then the metric calculations you can perform on it are COUNT, SUM, MIN, MAX, AVERAGE etc.
Bucket Aggregations: Bucket aggregations create buckets or sets of documents based on given criteria in query. When the aggregation is performed, the documents are placed in the respective bucket, at the end we get a list of buckets, each with a list of documents. Example of bucket aggregation is Histogram Aggregation, Range Aggregation, Terms Aggregation, Filter(s) Aggregations, Geo Distance Aggregation and IP Range Aggregation.
Pipeline Aggregations: These aggregations allow you to aggregate over the result of another aggregation rather than from document sets.
Matrix Aggregations: Unlike Metric and Bucket aggregations, this aggregation work on more than one field and produce a matrix result based on the values from the requested document fields.
Examples
This aggregation is used to get the average of any numeric field present in the aggregated documents. For example below query computes the average fees over all documents
POST /schools/_search { "aggs":{ "avg_fees":{"avg":{"field":"fees"}} } }
In query “aggs” object holds the aggregation to be computed. “avg_fees” is the name of the aggregation, “avg_fees” can be referred in scripts also and “avg” is the type of aggregation applied on fees field. The above will return the following:
{ ... "aggregations" : { "avg_fees" : { "value" : 2650.0 } } }
Log Context
Log “Key [{}]; from [{}]; to [{}]; doc_count [{}]” classname is iprange-aggregation.asciidoc.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :
String key = entry.getKeyAsString(); // Ip range as key String fromAsString = entry.getFromAsString(); // Ip bucket from as a String String toAsString = entry.getToAsString(); // Ip bucket to as a String long docCount = entry.getDocCount(); // Doc count logger.info("key [{}]; from [{}]; to [{}]; doc_count [{}]"; key; fromAsString; toAsString; docCount); } -------------------------------------------------- This will basically produce for the first example: