0

我在elasticsearch中有以下数据。在匹配“源 MAC 地址”的特定值后,我想基于“目标 IP”进行聚合。如何使用来自 javascript 的 elasticsearch 查询来实现这一点。

{
"took" : 2,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
},
"hits" : {
"total" : 2,
"max_score" : 1.0,
"hits" : [ {
  "_index" : "logstash-1",
  "_type" : "packet",
  "_id" : "bcb57f445084cc0e474366bf892f6b4ab9162a4e",
  "_score" : 1.0,
  "_source" : {
    "@source" : "logstash",
    "@source_host" : "03",
    "@message" : "72",
    "@tags" : [ ],
    "@fields" : {
      "Protocol Type" : "TCP",
      "Dst Domain" : "USER1",
      "No" : 72,
      "Timestamp" : "2016-11-08 10:46:57.691",
      "Source IP" : "10.10.10.10",
      "Source MAC Addr" : "00:00:00:00:00:00",
      "Length" : 1480,
      "Dest MAC Addr" : "ad:ad:ad:ad:ad:ad",
      "Src -> Dst" : "10.10.10.10 -> 20.20.20.20",
      "TTL" : 60,
      "Src Domain" : "act",
      "logger" : "logger",
      "Dest IP" : "20.20.20.20",
      "levelname" : "INFO",
      "Size" : 100
    },
  }
}, {
  "_index" : "logstash",
  "_type" : "packet",
  "_id" : "d6ff9ac16f70dc2c4b3d599c74489475db124fd7",
  "_score" : 1.0,
  "_source" : {
    "message" : "aaaa\n",
    "tags" : [ "_jsonparsefailure" ],
    "@version" : "1",
    "@timestamp" : "2016-11-08T04:11:30.663Z",
    "type" : "packet",
    "host" : "10.10.10.10",
    "fingerprint" : "d6ff9ac16f70dc2c4b3d599c74489475db124fd7"
  }
} ]
}
}
4

1 回答 1

0

好吧,这似乎是一个查询结果,所以也包括那个查询会很方便,但我仍然没有得到你想要什么样的聚合,所以一个由 IP 和 MAC 过滤的查询应该可以完成这项工作,而不需要聚合,也可以通过首先按 IP 地址过滤然后聚合来完成

"aggs": {
    "by_mac_addr": {
      "terms": {
        "field": "Source MAC Addr",
        "order": {
          "_term": "asc"
        },
        "size": 1000
      }
    }
于 2016-11-09T08:31:28.113 回答