Hello,
I am having a difficult time trying to compare the results of two aggerates. More specifically, I want to find unique "keys" between two aggerate buckets. For example, I have the two aggregates on the sample web logs data:
Aggregate 1:
GET /kibana_sample_data_logs/_search
{
"size": 0,
"query": {
"match_phrase": {
"agent": "Mozilla/4.0"
}
},
"aggs": {
"IPs": {
"terms": {
"field": "clientip"
}
}
}
}
Aggregate 2:
GET /kibana_sample_data_logs/_search
{
"size": 0,
"query": {
"match_phrase": {
"agent": "Mozilla/5.0"
}
},
"aggs": {
"IPs": {
"terms": {
"field": "clientip"
}
}
}
}
With the resulting buckets, is there a way to create a third aggregate of IPs that are in the first aggregate but not the second or visa-versa? Preferably in a single API request?
I have tried to use sub-aggregations and scripts but not made any progress.
Thanks!