Filter terms aggregation in order to see only terms with more than 10 results

ebuildy · November 29, 2015, 8:28pm

I have ton of documents like this:

{ "ip" : "77.....", "event" : "buy", "time" : "11:00..."}
{"ip" : "75.....", "event" : "search", "time" : "11:01..."}

I would like to setup an alert if a client is generating too many events in a specified time window, so I am doing the following aggregation:

"aggs" : {
"ips_per_minute" : {
    "date_histogram" : {
        "field" : "time",
        "interval" : "1m"
    },
    "aggs": {
        "queries_per_ip": {
            "terms": {
                "field": "client"
            }
        }
    }
}

But it gives me ALL data, I would like to filter " IF COUNT(ips) > 10 BY 1m"

mainec · November 29, 2015, 9:41pm

The min_doc_count parameter documented here

https://www.elastic.co/guide/en/elasticsearch/reference/1.4/search-aggregations-bucket-terms-aggregation.html

should help you solve your problem.

Hope this helps,
Isabel

ebuildy · November 30, 2015, 9:17am

D'oh !

Ya this is exactly that I was looking for, many thanks.

Was looking for a so complicated solution (with pipeline & co') then I didn't read all the doc of terms aggregation...

mainec · December 2, 2015, 6:42am

No worries - glad it was the right solution.