0
0
Elasticsearchquery~10 mins

Filter aggregation in Elasticsearch - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Concept Flow - Filter aggregation
Start Query
Apply Filter Condition
Select Documents Matching Filter
Perform Aggregations on Filtered Docs
Return Aggregation Results
The filter aggregation applies a filter to select documents, then runs aggregations only on those filtered documents.
Execution Sample
Elasticsearch
{
  "aggs": {
    "filtered_sales": {
      "filter": { "term": { "status": "sold" } },
      "aggs": { "total_price": { "sum": { "field": "price" } } }
    }
  }
}
This query filters documents where status is 'sold' and sums the price field for those documents.
Execution Table
StepActionFilter ConditionDocuments SelectedAggregation PerformedResult
1Start queryN/AAll documentsN/AN/A
2Apply filterstatus == 'sold'Only documents with status 'sold'N/AN/A
3Run aggregationN/AFiltered documentsSum price fieldSum of prices for sold items
4Return resultN/AN/AN/A{"filtered_sales":{"doc_count":3,"total_price":{"value":450}}}
💡 Aggregation completes after filtering and summing prices of matching documents.
Variable Tracker
VariableStartAfter FilterAfter AggregationFinal
DocumentsAll documentsFiltered to status='sold'Aggregation on filtered docsAggregation result returned
doc_countN/A3 (example count)N/A3
total_priceN/AN/A450 (example sum)450
Key Moments - 2 Insights
Why does the aggregation only include some documents?
Because the filter aggregation first selects documents matching the filter condition (see execution_table step 2), only those documents are used in the aggregation.
What happens if no documents match the filter?
The aggregation runs on zero documents, so the result will show doc_count as 0 and aggregation values as zero or null (see variable_tracker doc_count after filter).
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table at step 2, what documents are selected?
AAll documents in the index
BDocuments where price is zero
CDocuments where status is 'sold'
DNo documents
💡 Hint
Check the 'Documents Selected' column at step 2 in execution_table.
At which step is the sum of the price field calculated?
AStep 2
BStep 3
CStep 1
DStep 4
💡 Hint
Look at the 'Aggregation Performed' column in execution_table.
If the filter changed to status='available', how would the doc_count change?
AIt would be the count of documents with status 'available'
BIt would stay the same
CIt would be zero always
DIt would count all documents
💡 Hint
Refer to variable_tracker doc_count after filter and how filter affects document selection.
Concept Snapshot
Filter aggregation syntax:
{
  "aggs": {
    "name": {
      "filter": { <filter_query> },
      "aggs": { <sub_aggregations> }
    }
  }
}

Behavior: Filters documents first, then runs sub-aggregations only on those.
Key rule: Aggregations inside filter only see filtered docs.
Full Transcript
Filter aggregation in Elasticsearch works by first applying a filter condition to select only documents that match. Then, it performs aggregations like sum or average only on those filtered documents. For example, filtering documents where status is 'sold' and summing their price fields. The execution steps are: start query, apply filter, run aggregation on filtered docs, and return results. Variables like doc_count track how many documents matched the filter. If no documents match, aggregation results reflect zero or null values. Changing the filter changes which documents are included and thus changes aggregation results.