Filter result in top-term-aggs

Elastic Stack Elasticsearch
1

I want to filter out field from my results.

My query is,

       {  
       "size":0,
       "aggs":{  
          "top-terms-aggregation":{  
             "terms":{  
                "field":"client_ip.keyword",
                "size":5
             }
          }
       }
    }

which gives output as,

{
  ........................
  ........................
  "buckets": [
    {
      "key": "10.107.**.**",
      "doc_count": ***
    },
    {
      "key": "10.162.**.**",
      "doc_count": ***
    },
    {
      "key": "10.15.**.**",
      "doc_count": ***
    },
    {
      "key": "10.2.**.**",
      "doc_count": ***
    },
    {
      "key": "10.196.**.**",
      "doc_count": **
    }
  ]
}
  }
}

Now in the above output, I want to filter out "10.107.."
So my result should contain top 5 ips but without "10.107.."

Please tell how to achieve this?
Thank you.

2

There are two ways. The "best" way is to use a bool query with a must_not that filters out documents with those IP addresses. The slower way is to use the bucket_selector aggregation. That one is slower because it works on the results. The filtering one should be faster because it has to calculate less data. But they are not the same. They will produce slightly different results though, so use the one that works for you.

3

Thnaks a lot. I will try to do this.

4

I tried following, but getting error.

{
      "query": {
        "bool": {
          "must_not": {
            "client_ip": "10.107.**.**"
          }
        }
      },
      "size":0,
       "aggs":{
          "top-terms-aggregation":{  
             "terms":{  
                "field":"client_ip.keyword",
                "size":5
             }
          }
       }
    }

Error is,

 {
      "error": {
        "root_cause": [
          {
            "type": "parsing_exception",
            "reason": "[client_ip] query malformed, no start_object after query name",
            "line": 5,
            "col": 22
          }
        ],
        "type": "parsing_exception",
        "reason": "[client_ip] query malformed, no start_object after query name",
        "line": 5,
        "col": 22
      },
      "status": 400
    }
5

Solved.
Thanks again.

6

Hey, how to add @timestamp range in this.
I tried various ways, but didn't worked.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.