Hi,
I'm new to elasticsearch, so please bear with me.
I am using logstash to ship sendmail logs into elasticsearch.
For any particular mail, sendmail logs the "to" address and "from"
addresses in different log entries,
resulting in (at least) two different elasticsearch documents per mail
(they do share a sendmail message ID).
for example:
{
id: 1
msgid: s938943sa99
from: joe@example.com
relayip: 192.168.0.1
}
{
id: 2
msgid: s938943sa99
to: frank@example.com
status: Sent
}
I would like to be able to find out the number of mails sent per to/from
combination over a particular time period,
i.e. 5 mails sent from joe@example.com to frank@example.com, and 7 mails
sent from mary@example.com to sara@example.com in the last hour.
I understand about using aggregations on a field, so I can find out how
many mails were sent from a particular address:
curl -XGET 'http://localhost:9200/logstash*/_search?pretty=true' -d '
{
"query" : {
"bool" : {
"must" : [
{
"range" : {
"@timestamp" : {
"gt" : "now-1h"
}
}
}
]
}
},
"aggs" : {
"myfrom" : {
"terms" : {
"field" : "from.raw",
"min_doc_count" : 1
}
}
}
}'
I don't see how I can combine the documents to aggregate on to/from
combination.
Is this possible?
Thanks for any help,
Martin
--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/b8d758b5-dd4e-4218-8f89-00970b4519a3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.