I'm using Elasticsearch server 8.17.3 and Elasticsearch net Client 8.17.3. Looks like there is an issue with Elasticsearch resolving the multi terms aggregation involving a boolean field. I get below error where as I'm only having one index and one document indexed with correct mappings. Same query works in V7 NEST client and also runs without issues if I execute it via Dev tools.
I understand the error message but aggregation boolean field in question i.e. EPMWinMac.Session.Administrator DOESN'T exists as two different types in two different indices:
Error Log
Invalid Elasticsearch response built from a unsuccessful (400) low level call on POST: /_search?pretty=true&error_trace=true&typed_keys=true
Exception: Request failed to execute. Call: Status code 400 from: POST /_search?pretty=true&error_trace=true&typed_keys=true. ServerError: Type: search_phase_execution_exception Reason: "" CausedBy: "Type: illegal_argument_exception Reason: "Merging/Reducing the aggregations failed when computing the aggregation [UserIdAndUsernameMultiAggs] because the field in position2 in the aggregation query existed as two different types in two different indices""
**Audit trail of this API call:**
- [1] BadResponse: Node: https://_REMOVED_.us-east-2.aws.elastic-cloud.com/ Took: 00:00:00.1251254
**OriginalException:** Elastic.Transport.TransportException: Request failed to execute. Call: Status code 400 from: POST /_search?pretty=true&error_trace=true&typed_keys=true. ServerError: Type: search_phase_execution_exception Reason: "" CausedBy: "Type: illegal_argument_exception Reason: "Merging/Reducing the aggregations failed when computing the aggregation [UserIdAndUsernameMultiAggs] because the field in position2 in the aggregation query existed as two different types in two different indices""
**Request:**
{
"aggregations": {
"UserIdAndUsernameMultiAggs": {
"aggregations": {
"host_hostname_keyword_bucket": {
"terms": {
"field": "host.hostname.keyword"
}
}
},
"multi_terms": {
"size": 25,
"terms": [
{
"field": "UserIdAndUsername"
},
{
"field": "EPMWinMac.Session.Administrator",
"missing": false
}
]
}
}
},
"profile": true,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "2025-02-26T11:11:26.583Z",
"lte": "2025-05-27T11:11:26.583Z"
}
}
},
{
"bool": {
"must": {
"term": {
"host.os.type": {
"case_insensitive": true,
"value": "windows"
}
}
}
}
},
{
"terms": {
"user.id": [
"1e46904e-803d-4d0c-9d7f-fd7ceac00cf1"
]
}
}
]
}
},
"size": 0,
"track_total_hits": false
}
# Response:
{
"error" : {
"root_cause" : [ ],
"type" : "search_phase_execution_exception",
"reason" : "",
"phase" : "rank-feature",
"grouped" : true,
"failed_shards" : [ ],
"caused_by" : {
"type" : "illegal_argument_exception",
"reason" : "Merging/Reducing the aggregations failed when computing the aggregation [UserIdAndUsernameMultiAggs] because the field in position2 in the aggregation query existed as two different types in two different indices",
"stack_trace" : "java.lang.IllegalArgumentException: Merging/Reducing the aggregations failed when computing the aggregation [UserIdAndUsernameMultiAggs] because the field in position2 in the aggregation query existed as two different types in two different indices\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.search.aggregations.AggregationErrors.reduceTypeMismatch(AggregationErrors.java:78)\n\tat org.elasticsearch.xpack.analytics.multiterms.InternalMultiTerms$1.needsPromotionToDouble(InternalMultiTerms.java:547)\n\tat org.elasticsearch.xpack.analytics.multiterms.InternalMultiTerms$1.get(InternalMultiTerms.java:562)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.search.aggregations.AggregatorsReducer.get(AggregatorsReducer.java:63)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.search.aggregations.InternalAggregations.reduce(InternalAggregations.java:275)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.search.aggregations.InternalAggregations.topLevelReduce(InternalAggregations.java:224)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.search.aggregations.InternalAggregations.topLevelReduceDelayable(InternalAggregations.java:212)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.action.search.SearchPhaseController.reduceAggs(SearchPhaseController.java:691)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.action.search.SearchPhaseController.reducedQueryPhase(SearchPhaseController.java:645)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.action.search.QueryPhaseResultConsumer.reduce(QueryPhaseResultConsumer.java:140)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.action.search.RankFeaturePhase.innerRun(RankFeaturePhase.java:93)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.action.search.RankFeaturePhase$1.doRun(RankFeaturePhase.java:80)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:27)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.common.util.concurrent.TimedRunnable.doRun(TimedRunnable.java:34)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:1023)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:27)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)\n\tat java.base/java.lang.Thread.run(Thread.java:1575)\n"
},
"stack_trace" : "Failed to execute phase [rank-feature], \n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.action.search.AbstractSearchAsyncAction.onPhaseFailure(AbstractSearchAsyncAction.java:693)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.action.search.RankFeaturePhase$1.onFailure(RankFeaturePhase.java:85)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:29)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.common.util.concurrent.TimedRunnable.doRun(TimedRunnable.java:34)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:1023)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:27)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)\n\tat java.base/java.lang.Thread.run(Thread.java:1575)\nCaused by: java.lang.IllegalArgumentException: Merging/Reducing the aggregations failed when computing the aggregation [UserIdAndUsernameMultiAggs] because the field in position2 in the aggregation query existed as two different types in two different indices\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.search.aggregations.AggregationErrors.reduceTypeMismatch(AggregationErrors.java:78)\n\tat org.elasticsearch.xpack.analytics.multiterms.InternalMultiTerms$1.needsPromotionToDouble(InternalMultiTerms.java:547)\n\tat org.elasticsearch.xpack.analytics.multiterms.InternalMultiTerms$1.get(InternalMultiTerms.java:562)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.search.aggregations.AggregatorsReducer.get(AggregatorsReducer.java:63)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.search.aggregations.InternalAggregations.reduce(InternalAggregations.java:275)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.search.aggregations.InternalAggregations.topLevelReduce(InternalAggregations.java:224)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.search.aggregations.InternalAggregations.topLevelReduceDelayable(InternalAggregations.java:212)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.action.search.SearchPhaseController.reduceAggs(SearchPhaseController.java:691)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.action.search.SearchPhaseController.reducedQueryPhase(SearchPhaseController.java:645)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.action.search.QueryPhaseResultConsumer.reduce(QueryPhaseResultConsumer.java:140)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.action.search.RankFeaturePhase.innerRun(RankFeaturePhase.java:93)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.action.search.RankFeaturePhase$1.doRun(RankFeaturePhase.java:80)\n\tat org.elasticsearch.server@8.17.3/org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:27)\n\t... 6 more\n"
},
"status" : 400
}
Mappings:
{
"mappings": {
"_data_stream_timestamp": {
"enabled": true
},
"properties": {
"@timestamp": {
"type": "date"
},
"EPMWinMac": {
"properties": {
"ActiveX": {
"properties": {
"CLSID": {
"type": "keyword"
},
"Codebase": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"Version": {
"type": "keyword"
}
}
},
"AdapterVersion": {
"type": "keyword"
},
"AuthorizationRequest": {
"properties": {
"AuthRequestURI": {
"type": "keyword"
}
}
},
"AuthorizingUser": {
"properties": {
"CredentialSource": {
"type": "keyword"
},
"Domain": {
"properties": {
"Identifier": {
"type": "keyword"
},
"Name": {
"type": "keyword"
},
"NetBIOSName": {
"type": "keyword"
}
}
},
"DomainIdentifier": {
"type": "keyword"
},
"DomainName": {
"type": "keyword"
},
"Identifier": {
"type": "keyword"
},
"Name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
},
"COM": {
"properties": {
"AppID": {
"type": "keyword"
},
"CLSID": {
"type": "keyword"
},
"DisplayName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
},
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
}
}
}
}
},
"Configuration": {
"properties": {
"AdminRequired": {
"type": "boolean"
},
"Application": {
"properties": {
"Description": {
"type": "keyword",
"fields": {
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
}
}
},
"Identifier": {
"type": "keyword"
},
"Type": {
"type": "keyword"
}
}
},
"ApplicationGroup": {
"properties": {
"Description": {
"type": "keyword",
"index": false
},
"Identifier": {
"type": "keyword"
},
"Name": {
"type": "keyword"
}
}
},
"Identifier": {
"type": "keyword"
},
"LoadAuditMode": {
"type": "keyword"
},
"Message": {
"properties": {
"AuthMethods": {
"type": "keyword"
},
"Authentication": {
"properties": {
"User": {
"type": "keyword"
}
}
},
"Authorization": {
"properties": {
"ChallengeCode": {
"type": "keyword"
},
"ResponseStatus": {
"type": "keyword"
}
}
},
"Description": {
"type": "text",
"index": false
},
"Identifier": {
"type": "keyword"
},
"Name": {
"type": "keyword",
"fields": {
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
}
}
},
"Type": {
"type": "keyword"
},
"UserReason": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
},
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
}
}
},
"UserRequestManagementId": {
"type": "keyword"
}
}
},
"RevisionNumber": {
"type": "keyword"
},
"Rule": {
"properties": {
"Action": {
"type": "keyword"
},
"Identifier": {
"type": "keyword"
},
"OnDemand": {
"type": "boolean"
}
}
},
"RuleScript": {
"properties": {
"FileName": {
"type": "keyword"
},
"Outcome": {
"properties": {
"Name": {
"type": "keyword"
},
"Output": {
"type": "keyword"
},
"Result": {
"type": "keyword"
},
"RuleAffected": {
"type": "boolean"
},
"Version": {
"type": "keyword"
}
}
},
"Publisher": {
"type": "keyword"
}
}
},
"SigningEnforcement": {
"type": "keyword"
},
"Token": {
"properties": {
"Description": {
"type": "text",
"index": false
},
"Identifier": {
"type": "keyword"
},
"Name": {
"type": "keyword"
}
}
},
"TrustedApplication": {
"properties": {
"Name": {
"type": "keyword"
},
"Version": {
"type": "keyword"
}
}
},
"Workstyle": {
"properties": {
"Description": {
"type": "keyword",
"index": false
},
"Identifier": {
"type": "keyword"
},
"Name": {
"type": "keyword"
}
}
}
}
},
"Content": {
"properties": {
"File": {
"properties": {
"Description": {
"type": "text",
"index": false
},
"Name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"Owner": {
"properties": {
"Domain": {
"properties": {
"Identifier": {
"type": "keyword"
},
"Name": {
"type": "keyword"
},
"NetBIOSName": {
"type": "keyword"
}
}
},
"Identifier": {
"type": "keyword"
},
"Name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
},
"Version": {
"type": "keyword"
}
}
}
}
},
"ControlAuthorization": {
"type": "boolean"
},
"Event": {
"properties": {
"Action": {
"type": "keyword"
},
"Type": {
"type": "keyword"
}
}
},
"GroupId": {
"type": "keyword"
},
"Installer": {
"properties": {
"ProductCode": {
"type": "keyword"
},
"UpgradeCode": {
"type": "keyword"
}
}
},
"PreventPrivilegedGroupModification": {
"properties": {
"Group": {
"properties": {
"Access ": {
"type": "keyword"
},
"Name": {
"type": "keyword"
},
"Rid": {
"type": "keyword"
}
}
}
}
},
"PrivilegedGroup": {
"properties": {
"Access": {
"type": "keyword"
},
"Name": {
"type": "keyword"
},
"RID": {
"type": "keyword"
}
}
},
"RemotePowerShell": {
"properties": {
"Command": {
"type": "keyword"
}
}
},
"SchemaVersion": {
"type": "keyword"
},
"ServiceControl": {
"properties": {
"Service": {
"properties": {
"Action": {
"type": "keyword"
},
"DisplayName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
},
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
}
}
},
"Name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
},
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
}
}
}
}
}
}
},
"Session": {
"properties": {
"Administrator": {
"type": "boolean"
},
"Identifier": {
"type": "keyword"
},
"JITAdmin": {
"properties": {
"Configuration": {
"properties": {
"AdminRequired": {
"type": "boolean"
},
"Application": {
"properties": {
"Description": {
"type": "keyword",
"fields": {
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
}
}
},
"Identifier": {
"type": "keyword"
},
"Type": {
"type": "keyword"
}
}
},
"ApplicationGroup": {
"properties": {
"Description": {
"type": "keyword",
"index": false
},
"Identifier": {
"type": "keyword"
},
"Name": {
"type": "keyword"
}
}
},
"Identifier": {
"type": "keyword"
},
"LoadAuditMode": {
"type": "keyword"
},
"Message": {
"properties": {
"AuthMethods": {
"type": "keyword"
},
"Authentication": {
"properties": {
"User": {
"type": "keyword"
}
}
},
"Authorization": {
"properties": {
"ChallengeCode": {
"type": "keyword"
},
"ResponseStatus": {
"type": "keyword"
}
}
},
"Description": {
"type": "text",
"index": false
},
"Identifier": {
"type": "keyword"
},
"Name": {
"type": "keyword",
"fields": {
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
}
}
},
"Type": {
"type": "keyword"
},
"UserReason": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
},
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
}
}
},
"UserRequestManagementId": {
"type": "keyword"
}
}
},
"RevisionNumber": {
"type": "keyword"
},
"Rule": {
"properties": {
"Action": {
"type": "keyword"
},
"Identifier": {
"type": "keyword"
},
"OnDemand": {
"type": "boolean"
}
}
},
"RuleScript": {
"properties": {
"FileName": {
"type": "keyword"
},
"Outcome": {
"properties": {
"Name": {
"type": "keyword"
},
"Output": {
"type": "keyword"
},
"Result": {
"type": "keyword"
},
"RuleAffected": {
"type": "boolean"
},
"Version": {
"type": "keyword"
}
}
},
"Publisher": {
"type": "keyword"
}
}
},
"SigningEnforcement": {
"type": "keyword"
},
"Token": {
"properties": {
"Description": {
"type": "text",
"index": false
},
"Identifier": {
"type": "keyword"
},
"Name": {
"type": "keyword"
}
}
},
"TrustedApplication": {
"properties": {
"Name": {
"type": "keyword"
},
"Version": {
"type": "keyword"
}
}
},
"Workstyle": {
"properties": {
"Description": {
"type": "keyword",
"index": false
},
"Identifier": {
"type": "keyword"
},
"Name": {
"type": "keyword"
}
}
}
}
},
"RequestIdentifier": {
"type": "keyword"
},
"TicketIdentifier": {
"type": "keyword"
}
}
},
"Locale": {
"type": "keyword"
},
"PowerUser": {
"type": "boolean"
},
"UILanguage": {
"type": "keyword"
},
"WindowsSessionId": {
"type": "keyword"
}
}
},
"StoreApp": {
"properties": {
"Name": {
"type": "keyword",
"fields": {
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
}
}
},
"Publisher": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"Version": {
"type": "keyword"
}
}
},
"TenantId": {
"type": "keyword"
}
}
},
"ElevationMethod": {
"type": "keyword"
},
"EnrichForUI": {
"properties": {
"AuthorizationRequired": {
"type": "boolean"
},
"File": {
"properties": {
"Description": {
"type": "keyword",
"fields": {
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
}
}
},
"DiscoveredDate": {
"type": "date",
"ignore_malformed": true
},
"DriveType": {
"type": "keyword"
},
"Hash": {
"properties": {
"Md5": {
"type": "keyword"
},
"Sha1": {
"type": "keyword"
},
"Sha256": {
"type": "keyword"
}
}
},
"Owner": {
"properties": {
"DomainIdentifier": {
"type": "keyword"
},
"DomainName": {
"type": "keyword"
},
"DomainNetBIOSName": {
"type": "keyword"
},
"Identifier": {
"type": "keyword"
}
}
},
"Path": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"Product": {
"type": "keyword",
"fields": {
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
}
}
},
"ProductVersion": {
"type": "keyword"
},
"Publisher": {
"type": "keyword",
"fields": {
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
}
}
},
"PublisherStatus": {
"type": "boolean"
},
"SourceUrl": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"Uri": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"Version": {
"type": "keyword"
},
"ZoneTag": {
"type": "keyword"
},
"owner": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
}
}
},
"Translated": {
"type": "boolean"
},
"UserIdAndUsername": {
"type": "keyword"
},
"agent": {
"properties": {
"ephemeral_id": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"type": {
"type": "keyword"
},
"version": {
"type": "keyword"
}
}
},
"aggregation_criteria": {
"type": "keyword"
},
"base": {
"properties": {
"@timestamp": {
"type": "date"
}
}
},
"client": {
"properties": {
"Name": {
"type": "keyword"
}
}
},
"client_ingest_lag_ms": {
"type": "long"
},
"data_stream": {
"properties": {
"dataset": {
"type": "constant_keyword"
},
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword",
"value": "logs"
}
}
},
"dll": {
"properties": {
"DriveType": {
"type": "keyword"
},
"SourceUrl": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"ZoneTag": {
"type": "keyword"
},
"code_signature": {
"properties": {
"subject_name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
},
"hash": {
"properties": {
"md5": {
"type": "keyword"
},
"sha1": {
"type": "keyword"
},
"sha256": {
"type": "keyword"
}
}
},
"path": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"pe": {
"properties": {
"architecture": {
"type": "keyword"
},
"company": {
"type": "keyword"
},
"description": {
"type": "keyword"
},
"file_version": {
"type": "keyword"
},
"imphash": {
"type": "keyword"
},
"original_file_name": {
"type": "keyword"
},
"pehash": {
"type": "keyword"
},
"product": {
"type": "keyword",
"fields": {
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
}
}
}
}
}
}
},
"ecs": {
"properties": {
"version": {
"type": "keyword",
"ignore_above": 1024
}
}
},
"event": {
"properties": {
"ReceivedAt": {
"type": "date_nanos"
},
"action": {
"type": "keyword"
},
"code": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"ingested": {
"type": "date_nanos"
},
"reason": {
"type": "keyword"
}
}
},
"file": {
"properties": {
"Bundle": {
"properties": {
"Creator": {
"type": "keyword"
},
"DownloadSource": {
"type": "keyword"
},
"InfoDescription": {
"type": "keyword"
},
"Name": {
"type": "keyword"
},
"Type": {
"type": "keyword"
},
"Uri": {
"type": "keyword"
},
"Version": {
"type": "keyword"
}
}
},
"DriveType": {
"type": "keyword"
},
"Owner": {
"properties": {
"Domain": {
"properties": {
"Identifier": {
"type": "keyword"
},
"Name": {
"type": "keyword"
},
"NetBIOSName": {
"type": "keyword"
}
}
},
"DomainIdentifier": {
"type": "keyword"
},
"DomainName": {
"type": "keyword"
},
"DomainNetBIOSName": {
"type": "keyword"
},
"Identifier": {
"type": "keyword"
},
"Name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
},
"ProductVersion": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"SourceUrl": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"Uri": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"ZoneTag": {
"type": "keyword"
},
"code_signature": {
"properties": {
"subject_name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
},
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
}
}
}
}
},
"gid": {
"type": "keyword"
},
"group": {
"type": "keyword"
},
"hash": {
"properties": {
"md5": {
"type": "keyword"
},
"sha1": {
"type": "keyword"
},
"sha256": {
"type": "keyword"
}
}
},
"owner": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"path": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
},
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
},
"sayt_customized": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3,
"analyzer": "autocomplete_path_analyzer"
}
}
},
"pe": {
"properties": {
"architecture": {
"type": "keyword"
},
"company": {
"type": "keyword"
},
"description": {
"type": "keyword"
},
"file_version": {
"type": "keyword"
},
"imphash": {
"type": "keyword"
},
"original_file_name": {
"type": "keyword"
},
"pehash": {
"type": "keyword"
},
"product": {
"type": "keyword",
"fields": {
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
}
}
}
}
}
}
},
"group": {
"properties": {
"Identifier": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"name": {
"type": "keyword"
}
}
},
"host": {
"properties": {
"ChassisType": {
"type": "keyword"
},
"DefaultLocale": {
"type": "keyword"
},
"DefaultUILanguage": {
"type": "keyword"
},
"Domain": {
"properties": {
"Identifier": {
"type": "keyword"
},
"NetBIOSName": {
"type": "keyword"
}
}
},
"DomainIdentifier": {
"type": "keyword"
},
"NetBIOSName": {
"type": "keyword"
},
"domain": {
"type": "keyword",
"fields": {
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
}
}
},
"geo": {
"properties": {
"TimezoneOffset": {
"type": "keyword"
}
}
},
"hostname": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
},
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
}
}
},
"id": {
"type": "keyword"
},
"ip": {
"type": "ip",
"ignore_malformed": true
},
"os": {
"properties": {
"ProductType": {
"type": "keyword"
},
"type": {
"type": "keyword"
},
"version": {
"type": "keyword"
}
}
},
"uptime": {
"type": "long"
}
}
},
"process": {
"properties": {
"ElevationRequired": {
"type": "boolean"
},
"HostedFile": {
"properties": {
"Bundle": {
"properties": {
"Version": {
"type": "keyword"
}
}
},
"Description": {
"type": "keyword"
},
"DriveType": {
"type": "keyword"
},
"Owner": {
"properties": {
"Domain": {
"properties": {
"Identifier": {
"type": "keyword"
},
"Name": {
"type": "keyword"
},
"NetBIOSName": {
"type": "keyword"
}
}
},
"DomainIdentifier": {
"type": "keyword"
},
"DomainName": {
"type": "keyword"
},
"DomainNetBIOSName": {
"type": "keyword"
},
"Identifier": {
"type": "keyword"
},
"Name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
},
"Product": {
"type": "keyword",
"fields": {
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
}
}
},
"ProductVersion": {
"type": "keyword"
},
"SourceUrl": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"Uri": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"ZoneTag": {
"type": "keyword"
},
"code_signature": {
"properties": {
"subject_name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
},
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
}
}
},
"trusted": {
"type": "boolean"
},
"valid": {
"type": "boolean"
}
}
},
"hash": {
"properties": {
"md5": {
"type": "keyword"
},
"sha1": {
"type": "keyword"
},
"sha256": {
"type": "keyword"
}
}
},
"owner": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"path": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
},
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
},
"sayt_customized": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3,
"analyzer": "autocomplete_path_analyzer"
}
}
},
"pe": {
"properties": {
"architecture": {
"type": "keyword"
},
"company": {
"type": "keyword"
},
"description": {
"type": "keyword"
},
"file_version": {
"type": "keyword"
},
"imphash": {
"type": "keyword"
},
"original_file_name": {
"type": "keyword"
},
"pehash": {
"type": "keyword"
},
"product": {
"type": "keyword",
"fields": {
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
}
}
}
}
}
}
},
"command_line": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
},
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
},
"sayt_customized": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3,
"analyzer": "autocomplete_path_analyzer"
},
"wildcard": {
"type": "wildcard"
}
}
},
"entity_id": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"parent": {
"properties": {
"entity_id": {
"type": "keyword"
},
"executable": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"name": {
"type": "keyword"
},
"pid": {
"type": "keyword"
}
}
},
"pid": {
"type": "keyword"
},
"start": {
"type": "date"
},
"user": {
"properties": {
"Domain": {
"properties": {
"Identifier": {
"type": "keyword"
}
}
},
"DomainIdentifier": {
"type": "keyword"
},
"domain": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"name": {
"type": "keyword"
}
}
}
}
},
"related": {
"properties": {
"hash": {
"type": "keyword"
},
"hosts": {
"type": "keyword"
},
"ip": {
"type": "ip",
"ignore_malformed": true
},
"user": {
"type": "keyword"
}
}
},
"server_ingest_lag_ms": {
"type": "long"
},
"total_ingest_lag_ms": {
"type": "long"
},
"user": {
"properties": {
"Domain": {
"properties": {
"Identifier": {
"type": "keyword"
}
}
},
"DomainIdentifier": {
"type": "keyword"
},
"DomainNetBIOSName": {
"type": "keyword"
},
"Identifier": {
"type": "keyword"
},
"LocalIdentifier": {
"type": "keyword"
},
"domain": {
"type": "keyword",
"fields": {
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
}
}
},
"id": {
"type": "keyword"
},
"name": {
"type": "keyword",
"fields": {
"sayt": {
"type": "search_as_you_type",
"doc_values": false,
"max_shingle_size": 3
}
}
}
}
}
}
}
}
Workaround:
If I create and use same 'EPMWinMac.Session.Administrator' field as runtime field using a script with same type i.e. Boolean, multi aggs works on it. or create and use another field type for example "keyword"
Any help will be appreciated in understanding and locating the root cause of the issue. Many thanks
