Filter terms aggregation in order to see only terms with more than 10 results

ebuildy · November 29, 2015, 8:28pm

I have ton of documents like this:

{ "ip" : "77.....", "event" : "buy", "time" : "11:00..."}
{"ip" : "75.....", "event" : "search", "time" : "11:01..."}

I would like to setup an alert if a client is generating too many events in a specified time window, so I am doing the following aggregation:

"aggs" : {
"ips_per_minute" : {
    "date_histogram" : {
        "field" : "time",
        "interval" : "1m"
    },
    "aggs": {
        "queries_per_ip": {
            "terms": {
                "field": "client"
            }
        }
    }
}

But it gives me ALL data, I would like to filter " IF COUNT(ips) > 10 BY 1m"

mainec · November 29, 2015, 9:41pm

The min_doc_count parameter documented here

https://www.elastic.co/guide/en/elasticsearch/reference/1.4/search-aggregations-bucket-terms-aggregation.html

should help you solve your problem.

Hope this helps,
Isabel

ebuildy · November 30, 2015, 9:17am

D'oh !

Ya this is exactly that I was looking for, many thanks.

Was looking for a so complicated solution (with pipeline & co') then I didn't read all the doc of terms aggregation...

mainec · December 2, 2015, 6:42am

No worries - glad it was the right solution.

Topic		Replies	Views
Agggregation question Elasticsearch	2	563	November 24, 2017
Filter facet by term count Elasticsearch	3	337	July 6, 2017
Terms aggregation with a limit Elasticsearch	2	1929	July 6, 2017
Max_doc_count in terms aggragation Elasticsearch	2	4329	June 7, 2018
How to put a filter in an aggs? Elasticsearch	1	414	July 6, 2017

Filter terms aggregation in order to see only terms with more than 10 results

Related topics