Elastic Search Query Merging multiple documents

Elk_huh · May 29, 2019, 3:35pm

I am trying to merge multiple documents together if they contain the same src IP Address within the last 10 minutes.

The situation is zscaler sends us multiple document ( per request ) for each blocked botnet request

I have so far 2 seperate queries : last 5 minutes and top hit for SRC field. Am i on the right track and how do i combine it .

GET zscaler-*/_search
{
  "size": 0,  
  "aggs": {
    "by_id": {
      "terms": {
        "field": "src",
        "min_doc_count": 2
      },
      "aggs": {
        "same_ids": {
          "top_hits": {
            "size": 100
          }
        }
      }
    }
  }
}

GET zscaler-*/_search
{
      "query": {
      "range" : {
            "msgSubmissionTime" : {
                "gte" : "now-5m",
                "lt" :  "now"
            }
        }
        
      }
}

system · June 26, 2019, 3:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.