I understand how you feel, been there, too :-)
In the filters aggregation, the first filters occurrence is the aggregation_type and the second is part of the aggregation_bodyof the filters aggregation and is the only valid key that this aggregation supports.
The second filters occurrence could have been called anything else (filter_list, list, etc) to denote that it contains the list of filters for that aggregation, but the ES folks picked filters which happen to also be the same name as the name of the aggregation itself.
So it goes like this:
{
"aggs" : { <--- key word to declare aggregations
"messages" : { <--- custom name for the aggregation that follows
"filters" : { <--- aggregation_type
"filters" : { <--- first (and only) key of the aggregation_body
"errors" : { "term" : { "body" : "error" }},
"warnings" : { "term" : { "body" : "warning" }}
}
},
"aggs" : {
"monthly" : {
"histogram" : {
"field" : "timestamp",
"interval" : "1M"
}
}
}
}
}
}
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
