如何查询ElasticSearch以查找是否每天发生一次> = 10次且与> = 3 t-pot_hostname值相关?
以下查询未提供我想要实现的目标。
{
"size": 0,
"_source": {
"excludes": []
},
"aggs": {
"ip": {
"terms": {
"field": "src_ip.keyword",
"min_doc_count": 10
},
"aggs": {
"t-pot": {
"terms": {
"field": "t-pot_hostname.keyword",
"min_doc_count": 3
}
}
}
}
},
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-1d"
}
}
}
],
"filter": [],
"should": [],
"must_not": []
}
}
}
查询输出提供src_ip和t-pot_hostname桶。
"aggregations": {
"ip": {
"doc_count_error_upper_bound": 5427,
"sum_other_doc_count": 264226,
"buckets": [
{
"key": "10.10.100.203",
"doc_count": 954982,
"t-pot": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "tpot3",
"doc_count": 1788
}
]
}
},