我运行一个查询,用给定的ip查找文档数学,并通过ip将它们分组,每个组应该包含category,clientip和respsize " url":" http://pancake.apple.com/cmremoteconfig/2/default",
"clientmac": "ac:7f:3e:27:24:fc",
"hierarchycode": "HIER_DIRECT/23.221.173.39",
"user": "-",
"duration": "129",
"respsize": "2821",
"clientip": "192.168.5.70",
"loggingdate": "04/11/2015 07:26:20",
"resultcode": "TCP_MISS/200",
"reqmethod": "GET",
"category": "11",
"clientname": "192.168.5.70"
POST webproxylog/_search
{
"query":{
"filtered":{
"filter":{
"bool":{
"must":[
{
"terms":{
"clientip":[
"192.168.5.84",
"192.157.5.101"
]
}
}
]
}
}
}
},
"size":0,
"aggs":{
"categories":{
"terms":{
"field":"category",
"size":9999,
"order":{
"sum_respsize":"desc"
}
},
"aggs":{
"sum_respsize":{
"sum":{
"field":"respsize"
}
}
}
}
}
}
它返回:
"buckets": [
{
"key": "11",
"doc_count": 2080,
"sum_respsize": {
"value": 959711609
}
},
{
"key": "27",
"doc_count": 1458,
"sum_respsize": {
"value": 25747310
}
},...
实际上我需要它的接近;我希望这些存储桶包含每个给定的客户端名称作为参数。像这样
"buckets": [
{
"key": "11",
"clientip":"192.168.5.101"
"doc_count": 2080,
"sum_respsize": {
"value": 959711609
}
},
{
"key": "27",
"clientip":"192.168.5.84"
"doc_count": 1458,
"sum_respsize": {
"value": 25747310
}
},
答案 0 :(得分:0)
试试这个:
{
"query": {
"filtered": {
"filter": {
"bool": {
"must": [
{
"terms": {
"clientip": [
"192.168.5.84",
"192.157.5.101"
]
}
}
]
}
}
}
},
"size": 0,
"aggs": {
"categories": {
"terms": {
"field": "category",
"size": 9999,
"order": {
"sum_respsize": "desc"
}
},
"aggs": {
"sum_respsize": {
"sum": {
"field": "respsize"
}
},
"ip_top_tags": {
"top_hits": {
"size": 1,
"_source": {
"include": "clientip"
}
}
}
}
}
}
}