I have got the following problem:
I am collecting the Logs of the firewalls and I want to create a Graph that sums up
the top 5 source addresses that are creating the most traffic in our network.
The settings are following:
I believe the problem is that you're using the "analyzed" value, and not the raw value, for the source-address. When search on keywords, Elasticsearch doesn't use the actual value, instead of parses the value into a collection of fragments which is uses for searching. Aggregating on that data is usually not very helpful, and isn't what you want in this case.
Instead, you want to aggregate on the raw, not_analyzed value, which you may need to add to your index. You can index both values at the same time, using multi-fields. You'll need to either re-ingest or reindex your data with the updated mapping.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.