Parent and Sibling Aggregations in Elasticsearch
Excerpts taken from my upcoming book: Elasticsearch in Action
The excerpts are taken from my book Elasticsearch in Action, Second Edition. The code is available in my GitHub repository. You can find executable Kibana scripts in the repository so you can run the commands in Kibana straight away. All code is tested against Elasticsearch 8.4 version.
Broadly speaking, we can group aggregations into two types: parent and sibling aggregations. You may find them a bit confusing, so let’s see what they are and how they can be used.
Parent aggregations
Parent aggregations are a group of aggregations that work on the input from the parent aggregation to produce new buckets, which are then added to the existing buckets. Take a look at the following code listing.
GET coffee_sales/_search
{
"size": 0,
"aggs": {
"coffee_sales_by_day": {
"date_histogram": {
"field": "date",
"calendar_interval": "1d"
},
"aggs": {
"cappuccino_sales": {
"sum": {
"field": "sales.cappuccino"
}
}
}
}
}
}If you look closely (see figure below), the cappuccino_sales aggregation is created as a child of the parent coffee_sales_by_day aggregation. It is at the same level as the date_histogram.
The result of such an aggregation produces a set of buckets inside the existing bucket. The figure below shows this result. As you can see in the previous figure, the cappuccino_sales aggregation produces the new buckets that are tucked away under the main date_histogram bucket.
Sibling aggregations
Sibling aggregations are those that produce a new aggregation at the same level of the sibling aggregation. The code in the following listing creates an aggregation with two queries at the same level (hence, we call them siblings).
GET coffee_sales/_search
{
"size": 0,
"aggs": {
"coffee_date_histogram": {
"date_histogram": {
"field": "date",
"calendar_interval": "1d"
}
},
"total_sale_of_americanos":{
"sum": {
"field": "sales.americano"
}
}
}
}In the listing, the coffee_date_histogram and total_sales_of_americanos aggregations are defined at the same level. If we take a snapshot of the query with the aggregations collapsed, we’d see them pictorially as shown in the figure below.
When we execute the sibling queries, new sets of buckets are produced; however, unlike parent aggregations, where the buckets are created and added to the existing buckets, with sibling aggregations, new aggregations or new buckets are created at the root aggregation level. The query in the previous listing produces the aggregated results in figure below with newly created buckets for each of the sibling aggregations.
