Date histogram query; count values

jfdsa · May 10, 2018, 9:42am

Hello, I am new to elastic, I am having some problems with queries.

I would like to do a date-histogram aggregation like query, where I can specify a time interval and get count values, but for specific values of a field. For example, I want a counter that indicates how many times an ip appears in the field "src_ip" for each time interval, specifying start and end to the search windows. I don't know how to combine buckets to get this result.

I can do it on kibana, but I want to get a query to integrate in a python program, but I can't figure out how to do it.

shanec · May 10, 2018, 2:00pm

What you're looking for is a date histogram and inside of that nest an IP range aggregation or, if you want an approximate count of individual IP addresses, a terms aggregation or, if you want an exhaustive list of all IP addresses, a composite aggregation.

Here's a tip as well: if you know how to get a visualization in Kibana and want to learn how to build a similar query, you can do that!

Open your visualization and find the up arrow at the bottom and click it:

You'll see this tabular view of the data. You can export the raw data here, but what we're interested is getting the Elasticsearch request, so click that

Tada! You now have an Elasticsearch query that you can use as the building blocks for your own.

Kibana sometimes adds some extra "stuff" that you may not need, so you can search the Elasticsearch documentation on our website to see what things like this excludes thing under _source does.

jfdsa · May 11, 2018, 6:44am

Thanks!, I think this is what I was looking for, however, that kibana to request option was really helpful.

system · June 8, 2018, 6:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.