Count the percentage of character fields

f26227279 · December 26, 2017, 4:25am

Hi, everyone:
I want to count the percentage of specified field data.
this is my Rest API:

GET _search
{
"_source": {
  "includes": [ "FIRST_SWITCHED", "LAST_SWITCHED","IPV4_DST_ADDR","L4_DST_PORT","IPV4_SRC_ADDR","L7_PROTO_NAME","IN_BYTES","IN_PKTS","OUT_BYTES","OUT_PKTS"]
},
"from" : 0, "size" : 10000,
"query": {
"bool": {
  "must": [
    {
        "match" : { "_index" : "logstash-2017.12.22" }
    },
    {
        "match_phrase":{"IPV4_SRC_ADDR":"192.168.0.159"}
    },
    
    {
      "range" : {
        "LAST_SWITCHED" : {
            "gte" : 1513683600
        }
        }
    }
    
  ]
}
},
"aggs": {
  "IN_PKTS": {
    "sum": {
      "field": "IN_PKTS"
    }
  },
  "IN_BYTES": {
    "sum": {
      "field": "IN_BYTES"
    }
  },
  "OUT_BYTES": {
    "sum": {
      "field": "OUT_BYTES"
    }
  },
  "OUT_PKTS": {
    "sum": {
      "field": "OUT_PKTS"
    }
  },
  "percent":{
    "significant_terms" : {
            "field" : "L7_PROTO_NAME",
            "percentage":{}
        }},
    "protocol" : {
         "terms" : {
             "field" : "PROTOCOL",
             "include" : ["17", "6"]      
            }
  },
    "Using_port_count" : {                 
        "cardinality" : {
            "field" : "L4_SRC_PORT"
        }
    }
}
}

but there's some errors.

thank you in advance!

f26227279 · December 26, 2017, 7:32am

this is error message:

"reason": "Fielddata is disabled on text fields by default. Set fielddata=true on [L7_PROTO_NAME] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead."

f26227279 · December 26, 2017, 9:47am

ok, I find the answer!

just add .keyword at here then it can run!

"field" : "L7_PROTO_NAME.keyword"

system · January 23, 2018, 9:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.