Hello Community!
I am having a problem formulating a query in Elasticseach. In this query, I have to group the IPs by the field called ip_address defined as IP type, and return the ones that have an occurrence greater than or equal to 40%.
For example, if I have a total of 100 documents and there are 40 documents with IP 1.1.1.1, 30 documents with IP 2.2.2.2.2, and finally 30 documents with IP 3.3.3.3.3, the expected result should be IP 1.1.1.1.1.
I have been working on a query, however, it is incomplete:
{
"aggs": {
"top_ips": {
"terms": {
"field": "ip_address",
"order": {
"_count": "desc"
},
"size": 5
}
}
},
"size": 0,
"fields": [{
"field": "@timestamp",
"format": "date_time"
}, {
"field": "StartTime",
"format": "date_time"
}],
"query": {
"bool": {
"filter": [{
"range": {
"EdgeStartTimestamp": {
"gte": "now-15m"
}
}
}]
}
}
}
How could I achieve this?
Thank you very much!