Elasticsearch Rare Terms Aggregation - Syntax, Example, and Tips

Pulse - Elasticsearch Operations Done Right

On this page

Syntax and Documentation Example Usage Common Issues Best Practices Frequently Asked Questions

The Rare Terms Aggregation is a specialized aggregation in Elasticsearch designed to identify terms that occur infrequently in a dataset. Unlike the standard Terms Aggregation which focuses on the most common terms, Rare Terms Aggregation helps in discovering and analyzing rare or unusual occurrences in your data.

Syntax and Documentation

The basic syntax for a Rare Terms Aggregation is as follows:

{
  "aggs": {
    "rare_terms": {
      "rare_terms": {
        "field": "field_name",
        "max_doc_count": 1
      }
    }
  }
}

For detailed information and advanced options, refer to the official Elasticsearch documentation on Rare Terms Aggregation.

Example Usage

Here's an example of using Rare Terms Aggregation to find rare user agents in web server logs:

GET /web_logs/_search
{
  "size": 0,
  "aggs": {
    "rare_user_agents": {
      "rare_terms": {
        "field": "user_agent.keyword",
        "max_doc_count": 5,
        "include": ".*Bot.*"
      }
    }
  }
}

This query will return user agents containing "Bot" that appear in 5 or fewer documents.

Common Issues

  1. High cardinality fields: Using Rare Terms Aggregation on high cardinality fields can be memory-intensive.
  2. Incorrect field type: Ensure you're using the correct field type (typically keyword for exact matches).
  3. Misunderstanding results: Remember that this aggregation focuses on rare terms, not common ones.

Best Practices

  • Use max_doc_count to control the rarity threshold.
  • Combine with other aggregations for more insightful analysis.
  • Consider using include or exclude patterns to focus on specific term patterns.
  • Monitor performance, especially when dealing with large datasets.

Frequently Asked Questions

Q: How does Rare Terms Aggregation differ from Terms Aggregation?
A: While Terms Aggregation focuses on the most common terms, Rare Terms Aggregation identifies infrequent terms, helping to discover unusual or outlier data points.

Q: Can I use Rare Terms Aggregation on numeric fields?
A: Rare Terms Aggregation is typically used on keyword fields. For numeric fields, consider using Range or Histogram aggregations instead.

Q: Is there a limit to how many rare terms can be returned?
A: By default, Elasticsearch limits the number of rare terms returned to 10. You can adjust this using the size parameter.

Q: How can I optimize Rare Terms Aggregation for large datasets?
A: Use filters to reduce the dataset before applying the aggregation, and consider using sampling techniques if absolute precision isn't required.

Q: Can Rare Terms Aggregation be used for anomaly detection?
A: Yes, Rare Terms Aggregation can be an effective tool for identifying anomalies or unusual patterns in your data, especially when combined with other aggregations or analysis techniques.

Pulse - Elasticsearch Operations Done Right

All the Elasticsearch support you'll ever need

Free Trial

Subscribe to the Pulse Newsletter

Get early access to new Pulse features, insightful blogs & exclusive events , webinars, and workshops.