Filter field by percentage

Hello Community!

I am having a problem formulating a query in Elasticseach. In this query, I have to group the IPs by the field called ip_address defined as IP type, and return the ones that have an occurrence greater than or equal to 40%.

For example, if I have a total of 100 documents and there are 40 documents with IP 1.1.1.1, 30 documents with IP 2.2.2.2.2, and finally 30 documents with IP 3.3.3.3.3, the expected result should be IP 1.1.1.1.1.

I have been working on a query, however, it is incomplete:

{
	"aggs": {
		"top_ips": {
			"terms": {
				"field": "ip_address",
				"order": {
					"_count": "desc"
				},
				"size": 5
			}
		}
	},
	"size": 0,
	"fields": [{
		"field": "@timestamp",
		"format": "date_time"
	}, {
		"field": "StartTime",
		"format": "date_time"
	}],
	"query": {
		"bool": {
			"filter": [{
				"range": {
					"EdgeStartTimestamp": {
						"gte": "now-15m"
					}
				}
			}]
		}
	}
}

How could I achieve this?

Thank you very much!

This is something a Bucket script aggregation | Elasticsearch Guide [7.15] | Elastic would be best used to do.

I'm not great with scripting, but Need help to calculate percentage in watcher has something that might get you started.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.