Question posted in 
I have an Elasticsearch index, part of its mapping is as follows:
...
},
"entity": {
"properties": {
"DateTime": {
"type": "date"
},
"Event": {
"type": "keyword"
},
"Location": {
"type": "keyword"
},
"Organ": {
"type": "keyword"
},
"Person": {
"type": "keyword"
}
}
},
...
I want to find the most frequent person. So, I query the index in the following ways:
{"size":0, "query":{"match_all":{}},"aggs":{"top_locations":{"terms":{"field":"entity.Person","size":1}}}}
and
{"size":0, "query":{"match_all":{}},"aggs":{"top_locations":{"terms":{"field":"entity.Person.keyword","size":1}}}}
The problem is that the first query works fine, but the second does not work.
3
Answers
You can try this
The first query will work yes and the second will not as you have observed already.
The reason is that the .keyword subfield does not exist.
If your mapping was like:
then the second query would work too.
But you shouldn’t want to do this because your "main" field is already type keyword. Subfields are usually used when the main type is something else. Like:
In which case Person is type text and Person.keyword is type keyword.
Please also note that the name of the subfield could be anything you like.
So in the above example Person.keyword would not work because we would need to use Person.foobar
It’s just that we usually give the same name as the type of the subfield.
Your first query works fine because
entity.Personfield exist. The second query is not exist becauseentity.Person.keywordfield is not exist.The field name does not have to be
.keywordjust because the field type is ‘keyword’.You can check if the field exist with the following API call.