02 · DATA MODEL

Aggregations

Every bucket aggregation returns an exact count — no HyperLogLog approximations in the bucket path. Metric aggregations use t-digest for percentiles so they stay bounded in memory. The 74× SIEM win comes from keeping a per-column value histogram at ingest time; terms aggs read it directly instead of scanning posting lists.

Metric aggregations

avg
sum
min
max
statsmin, max, sum, count, avg in one pass.
value_count
cardinalityExact · bitmap-backed.
percentilest-digest · bounded memory.

Bucket aggregations

termsExact, pre-computed histogram. 74× faster than ES on SIEM.
rangeNumeric ranges.
histogramFixed-interval buckets.
date_histogramTime-bucketed counts.
filterSingle-filter bucket.
missingNull / absent field bucket.
compositeMulti-source pagination.

Request shape

{
  "query": { "match_all": {} },
  "aggs": {
    "by_service": {
      "terms": { "field": "service", "size": 10 },
      "aggs": {
        "p95_latency": {
          "percentiles": { "field": "latency_ms", "percents": [50, 95, 99] }
        }
      }
    }
  },
  "size": 0
}

Source · engine/crates/logs/src/query.rs · engine/README.md §Aggregations