1

Here's an example of a document in my ES index:

{
  "src_ip": "192.168.1.1",
  "dst_ip": "192.168.1.2"
}

I want obtain the number of occurrences of ip in different documents(in field src_ip or dst_ip). What I would like to get as a result of the query is an aggregation like this:

[
  {"ip": "192.168.1.1", "count": 1"},
  {"ip": "192.168.1.2", "count": 1"}
]

Any idea about that? Thanks in advance for your help.

Improve this question

1 Answer 1

Reset to default
1

You need to use term aggregation, Where you will get the group counts.

POST index_name/_search?size=0
{
  "aggs": {
    "src_ip_count": {
      "terms": {
        "field": "src_ip"
      }
    },
    "dst_ip_count": {
      "terms": {
        "field": "dst_ip"
      }
    }
  }
}

Here i am assuming that the type of src_ip and dst_ip is keyword. If it's not, You need to store all value as keyword type.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks for your reply! But the search returns two aggregation results, not one. Is possible to return one aggregation result, the aggregation key is all keywords in src_ip and dst_ip?
Yes it return two aggregations because you want group count on two individual field. To convert in specific format, I would recommend to handle programmatically. But i hope you getting desire results. Let me know.
Mark it answered if its really helped you. So that others can take reference :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.