Another elasticsearch aggregation query question

xwang12345 · June 21, 2017, 5:33am

I have the documents with the following 5 tuples:

session meta data:
src_ip, src_port, dst_ip, dst_port, proto, hostname

session stats data:
src_ip, src_port, dst_ip, dst_port, proto, in_bytes, out_bytes.

For each document of session meta data, there will be several session stats data documents

I would like to aggregate on the hostname, with the total in+out bytes for each host.

It is like one meta data document with many stats documents, the key to join them is the 5 tuple, could someone give me some hints how to aggregate it?

Example will be highly appreciated,

Christian_Dahlqvist · June 21, 2017, 6:12am

If it is a tuple you regularly aggregate across, it might make sense to create a separate field at ingest time that contains it, e.g. by concatenating the fields.

system · July 19, 2017, 6:12am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elastic aggregation query question Elasticsearch	2	550	July 21, 2017
How to perform sum aggregation and term aggregation in single query? Elasticsearch	2	573	March 24, 2022
Aggregate document and "cumulate" fields Elasticsearch	1	177	February 9, 2023
Aggregation in Elasticsearch Elasticsearch	1	285	March 26, 2019
How do I aggregate based on these fields? Elasticsearch	1	163	October 20, 2021

Another elasticsearch aggregation query question

Related topics