Hi All,
I have the below aggregation and I wonder if it is possible to do the aggregation only when the hdr_subject has 10 or more documents in that time frame. Is it possible to apply a filter of some sort?
{
"size": 0,
"aggs": {
"2": {
"terms": {
"field": "hdr_subject.keyword",
"size": 10,
"order": {
"_count": "desc"
}
},
"aggs": {
"3": {
"terms": {
"field": "ip",
"size": 10,
"order": {
"_count": "desc"
}
}
}
}
}
},
"version": true,
"query": {
"bool": {
"must": [
{
"query_string": {
"analyze_wildcard": true,
"query": "program:GW AND EnvID:p-xxxxn AND action:P6_ACCEPT_DEFAULT AND _exists_:hdr_subject AND cm_score: [0 TO 90] AND NOT dkim:pass*"
}
},
{
"range": {
"@timestamp": {
"gte": 1509086400000,
"lte": 1509086731668,
"format": "epoch_millis"
}
}
}
],
"must_not": [
{
"bool": {
"minimum_should_match": 1,
"should": [
{
"match_phrase": {
"hdr_from": "gruppiotthon"
}
},
{
"match_phrase": {
"hdr_from": "gruppiajandek.hu"
}
},
{
"match_phrase": {
"hdr_from": "telekom.hu"
}
},
{
"match_phrase": {
"hdr_from": "szallas.hu"
}
},
{
"match_phrase": {
"hdr_from": "hvg.hu"
}
},
{
"match_phrase": {
"hdr_from": "kreativhobby.hu"
}
},
{
"match_phrase": {
"hdr_from": "spartoo.hu"
}
},
{
"match_phrase": {
"hdr_from": "vizionet.cz"
}
},
{
"match_phrase": {
"hdr_from": "forum-media.hu"
}
}
]
}
}
]
}
}
}