REST API查询字符串

时间:2018-07-25 02:41:11

标签: rest elasticsearch

我想过滤掉小于10的Sum_PKTS。

如何合并两个查询字符串? 有可能吗?

顺便说一句,“ Sum_PKTS”字段是按“字段”:“数据包”求和的。

目标是过滤本地IP和聚合“数据包”字段,最后过滤值小于10的Sum_PKTS。

{
   "range":{
        "Sum_PKTS":{
                "gte": 10
              }
       }
}
--

GET /_search
{
  "size" : 0,
  "query": {
    "bool": {
      "should": [
        {
            "match":{"IPV4_DST_ADDR":"192.168.0.0/16"}
        },
        {
            "match":{"IPV4_SRC_ADDR":"192.168.0.0/16"}
        }
      ],
      "minimum_should_match": 1,
      "must":[
        {
          "range":{
            "@timestamp":{
            "gte":"now-5m"
            }
          }
        }
      ]
    }
  },
    "aggs": {
      "DST_Local_IP": {
        "filter": {
          "bool": {
            "filter": {
                "match":{"IPV4_DST_ADDR":"192.168.0.0/16"}
              }
            }
          },
          "aggs": {
                "genres":{
                    "terms" : {
                    "field" : "IPV4_DST_ADDR" ,
                    "order" : { "Sum_PKTS" : "desc" }
                    },
                    "aggs":{
                     "Sum_PKTS": {
                     "sum" : { "field" : "Packet" }
                    }
              }
            }
          }
      }, 
      "SRC_Local_IP": {
      "filter": {
        "bool": { 
          "filter": {
              "match":{"IPV4_SRC_ADDR":"192.168.0.0/16"}
            }
          }
        },
        "aggs": {
            "genres":{
                "terms" : {
                    "field" : "IPV4_SRC_ADDR" ,
                    "order" : { "Sum_PKTS" : "desc" }
                    },
                    "aggs":{
                    "Sum_PKTS": {
                    "sum" : { "field" : "Packet" }
                }
              }
            }
          }
      }
  }
}

提前谢谢!

1 个答案:

答案 0 :(得分:0)

您可以使用bucket selector pipeline aggregation(请参见下面的两个Sum_PKTS_gte_10聚合)来实现所需的目标:

{
  "size": 0,
  "query": {
    "bool": {
      "should": [
        {
          "match": {
            "IPV4_DST_ADDR": "192.168.0.0/16"
          }
        },
        {
          "match": {
            "IPV4_SRC_ADDR": "192.168.0.0/16"
          }
        }
      ],
      "minimum_should_match": 1,
      "must": [
        {
          "range": {
            "@timestamp": {
              "gte": "now-5m"
            }
          }
        }
      ]
    }
  },
  "aggs": {
    "DST_Local_IP": {
      "filter": {
        "bool": {
          "filter": {
            "match": {
              "IPV4_DST_ADDR": "192.168.0.0/16"
            }
          }
        }
      },
      "aggs": {
        "genres": {
          "terms": {
            "field": "IPV4_DST_ADDR",
            "order": {
              "Sum_PKTS": "desc"
            }
          },
          "aggs": {
            "Sum_PKTS": {
              "sum": {
                "field": "Packet"
              }
            },
            "Sum_PKTS_gte_10": {
              "bucket_selector": {
                "buckets_path": {
                  "sum_packets": "Sum_PKTS"
                },
                "script": "params.sum_packets >= 10"
              }
            }
          }
        }
      }
    },
    "SRC_Local_IP": {
      "filter": {
        "bool": {
          "filter": {
            "match": {
              "IPV4_SRC_ADDR": "192.168.0.0/16"
            }
          }
        }
      },
      "aggs": {
        "genres": {
          "terms": {
            "field": "IPV4_SRC_ADDR",
            "order": {
              "Sum_PKTS": "desc"
            }
          },
          "aggs": {
            "Sum_PKTS": {
              "sum": {
                "field": "Packet"
              }
            },
            "Sum_PKTS_gte_10": {
              "bucket_selector": {
                "buckets_path": {
                  "sum_packets": "Sum_PKTS"
                },
                "script": "params.sum_packets >= 10"
              }
            }
          }
        }
      }
    }
  }
}
相关问题
最新问题