Another elasticsearch aggregation query question

I have the documents with the following 5 tuples:

session meta data:
src_ip, src_port, dst_ip, dst_port, proto, hostname

session stats data:
src_ip, src_port, dst_ip, dst_port, proto, in_bytes, out_bytes.

For each document of session meta data, there will be several session stats data documents

I would like to aggregate on the hostname, with the total in+out bytes for each host.

It is like one meta data document with many stats documents, the key to join them is the 5 tuple, could someone give me some hints how to aggregate it?

Example will be highly appreciated,

If it is a tuple you regularly aggregate across, it might make sense to create a separate field at ingest time that contains it, e.g. by concatenating the fields.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.