Date histogram query; count values

Hello, I am new to elastic, I am having some problems with queries.

I would like to do a date-histogram aggregation like query, where I can specify a time interval and get count values, but for specific values of a field. For example, I want a counter that indicates how many times an ip appears in the field "src_ip" for each time interval, specifying start and end to the search windows. I don't know how to combine buckets to get this result.

I can do it on kibana, but I want to get a query to integrate in a python program, but I can't figure out how to do it.

What you're looking for is a date histogram and inside of that nest an IP range aggregation or, if you want an approximate count of individual IP addresses, a terms aggregation or, if you want an exhaustive list of all IP addresses, a composite aggregation.

Here's a tip as well: if you know how to get a visualization in Kibana and want to learn how to build a similar query, you can do that!

Open your visualization and find the up arrow at the bottom and click it:

Screen Shot 2018-05-10 at 6.41.15 AM.png1688×1142 52.7 KB

You'll see this tabular view of the data. You can export the raw data here, but what we're interested is getting the Elasticsearch request, so click that

Screen Shot 2018-05-10 at 6.42.16 AM.png1758×1138 114 KB

Tada! You now have an Elasticsearch query that you can use as the building blocks for your own.

Screen Shot 2018-05-10 at 6.42.46 AM.jpg1762×1142 107 KB

Kibana sometimes adds some extra "stuff" that you may not need, so you can search the Elasticsearch documentation on our website to see what things like this excludes thing under _source does.

Thanks!, I think this is what I was looking for, however, that kibana to request option was really helpful.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.