Filter field by percentage

Hello Community!

I am having a problem formulating a query in Elasticseach. In this query, I have to group the IPs by the field called ip_address defined as IP type, and return the ones that have an occurrence greater than or equal to 40%.

For example, if I have a total of 100 documents and there are 40 documents with IP, 30 documents with IP, and finally 30 documents with IP, the expected result should be IP

I have been working on a query, however, it is incomplete:

	"aggs": {
		"top_ips": {
			"terms": {
				"field": "ip_address",
				"order": {
					"_count": "desc"
				"size": 5
	"size": 0,
	"fields": [{
		"field": "@timestamp",
		"format": "date_time"
	}, {
		"field": "StartTime",
		"format": "date_time"
	"query": {
		"bool": {
			"filter": [{
				"range": {
					"EdgeStartTimestamp": {
						"gte": "now-15m"

How could I achieve this?

Thank you very much!

This is something a Bucket script aggregation | Elasticsearch Guide [7.15] | Elastic would be best used to do.

I'm not great with scripting, but Need help to calculate percentage in watcher has something that might get you started.