我想在DST_Local_IP或SRC_Local_IP中过滤唯一的IP,无论它是什么。 这是我的REST API:
{
"size" : 0,
"query": {
"bool": {
"should": [
{
"match":{"IPV4_DST_ADDR":"120.127.0.0/16"}
},
{
"match":{"IPV4_SRC_ADDR":"120.127.0.0/16"}
},
{
"range" : {
"LAST_SWITCHED" : {
"gte" : 0
}
}
}
],
"minimum_should_match": 2
}
},
"aggs": {
"DST_Local_IP": {
"filter": {
"bool": {
"filter": {
"match":{"IPV4_DST_ADDR":"120.127.0.0/16"}
}
}
},
"aggs": {
"dst_local_ip" : {
"terms" : {
"field" : "IPV4_DST_ADDR",
"size": 10000
}
}
}
},
"SRC_Local_IP": {
"filter": {
"bool": {
"filter": {
"match":{"IPV4_SRC_ADDR":"120.127.0.0/16"}
}
}
},
"aggs": {
"src_local_ip" : {
"terms" : {
"field" : "IPV4_SRC_ADDR",
"size": 10000
}
}
}
}
}
}
响应:
"aggregations": {
"SRC_Local_IP": {
"doc_count": 48287688,
"src_local_ip": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "120.127.160.8",
"doc_count": 6890185
},
{
"key": "120.127.160.77",
"doc_count": 3791683
},
{
"key": "120.127.160.65",
"doc_count": 1646648
},
{
"key": "120.127.160.42",
"doc_count": 1058027
}
。 。
"DST_Local_IP": {
"doc_count": 36696216,
"dst_local_ip": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "120.127.160.8",
"doc_count": 2762815
},
{
"key": "120.127.160.99",
"doc_count": 1344110
}
我希望返回值是不同的,因为DST_Local_IP中的ip可能在SRC_Local_IP中重复,但我只想要唯一的ip,无论ip是在DST_Local_IP还是SRC_Local_IP。
我该怎么办?你能给我一些想法吗?)
提前谢谢你!