hey all, I'm having trouble formulating a query, and I'm hoping someone can help. This is the format of my data:
{
"srcIp": "192.168.0.54",
"dstIp": "74.125.195.147",
"srcMac": ["ec:f4:bb:4f:b0:96", "0a:f7:bc:44:c0:d7"],
"dstMac": ["78:54:2e:9f:10:28"],
}
My objective is to return a list of unique srcIp's, and count the number of srcMac's for each unique srcIp that have the prefix ec:f4:bb.
The query I have at the moment is:
{
"size": 0,
"aggs" : {
"unique_ips": {
"terms": {
"field": "srcIp",
},
"aggs": {
"num_macs": {
"cardinality": {
"field": "srcMac"
}
}
}
}
}
}
And this works great; it returns the number of srcMac elements for each unique srcIp. However, it doesn't match the prefix string. To be explicit, for the provided sample data, i want it to return srcIp: 192.168.0.54 and num_macs: 1, as only the first element of the srcMac list matches the prefix ec:f4:bb.
I've tried a number of combinations of filter, filters, nested, match, and wildcard directives, but haven't been able to get it to do what I want. For some of them, it looks like they may not work with aggregations, and others it's probably likely that I just don't know what I'm doing.
Can anyone point me in the right direction/give me an example of how I can get what I want out of this? Any answers are appreciated.
Cheers.