I have an aggregated set of event based documents. Each document can be distinguished by an ip field and another field which categorises the use of said ip. the field which categorises the usage is limited to a set of discrete possible values (say three a,b and c).
so my questions are as follows:
- how do i aggregate for documents which share an ip but have more than one usage? thus return a document list that I can perform sub aggregations or metrics on as opposed to a number.
- how can i get information on the period and sequence of usage change over the documents that share an ip address? ideally this would be date histogram breakdown broken down by usage per ip address .
obviously solving one would be useful in solving two above. Any help would be much appreciated. Thanks in advance.
I think it is clear that a visualization will not work here. It is a report I am trying to accomplish as there are many ips and they will not fit on the axis' very well when visualizing. so the final report would have ip address, usagetypes, usage order, percentile breakdown of usage per day etc. -Thanks!