我在elasticsearch中有以下数据。我希望在匹配“源MAC地址”的特定值后基于“目标IP”进行聚合。如何使用javascript中的elasticsearch查询来实现这一点。
{
"took" : 2,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
},
"hits" : {
"total" : 2,
"max_score" : 1.0,
"hits" : [ {
"_index" : "logstash-1",
"_type" : "packet",
"_id" : "bcb57f445084cc0e474366bf892f6b4ab9162a4e",
"_score" : 1.0,
"_source" : {
"@source" : "logstash",
"@source_host" : "03",
"@message" : "72",
"@tags" : [ ],
"@fields" : {
"Protocol Type" : "TCP",
"Dst Domain" : "USER1",
"No" : 72,
"Timestamp" : "2016-11-08 10:46:57.691",
"Source IP" : "10.10.10.10",
"Source MAC Addr" : "00:00:00:00:00:00",
"Length" : 1480,
"Dest MAC Addr" : "ad:ad:ad:ad:ad:ad",
"Src -> Dst" : "10.10.10.10 -> 20.20.20.20",
"TTL" : 60,
"Src Domain" : "act",
"logger" : "logger",
"Dest IP" : "20.20.20.20",
"levelname" : "INFO",
"Size" : 100
},
}
}, {
"_index" : "logstash",
"_type" : "packet",
"_id" : "d6ff9ac16f70dc2c4b3d599c74489475db124fd7",
"_score" : 1.0,
"_source" : {
"message" : "aaaa\n",
"tags" : [ "_jsonparsefailure" ],
"@version" : "1",
"@timestamp" : "2016-11-08T04:11:30.663Z",
"type" : "packet",
"host" : "10.10.10.10",
"fingerprint" : "d6ff9ac16f70dc2c4b3d599c74489475db124fd7"
}
} ]
}
}
答案 0 :(得分:0)
这似乎是一个查询结果,所以包含该查询也很方便,但我仍然没有得到你想要的那种聚合,所以通过IP和MAC过滤的查询应该完成这项工作,聚合,也可以通过IP地址首先过滤然后聚合
来完成"aggs": {
"by_mac_addr": {
"terms": {
"field": "Source MAC Addr",
"order": {
"_term": "asc"
},
"size": 1000
}
}