Hello,
I have an index in which I store mail metadata (sender ip, subject etc.) What I'm trying to do is I want to get number of IPs which send over 1000 mails. (So for example let's say we have 3 IP addresses, 2000 mails are sent from first IP, 1500 from second and 200 from the third IP. Then I want to see 2 as the aggregation result.) I wrote the following query:
GET /my_index/_search
{
"size": 0,
"aggs": {
"ipAddresses": {
"terms": {
"field": "senderIpAddress",
"min_doc_count": 1000,
"size" : 0
}
}
}
}
I can get the bucket and calculate its size in my back-end implementation, however I need to get all the data in the bucket in order to do this. It is slow and I want to get the bucket size without getting all the data.
Question: how can I get the total size of aggregation bucket without retrieving the whole data?
Note : I want to see number of IP addresses more than 1000 mails are sent from. If I just make a simple cardinality, then at the end of the day we will count the IP addresses less than 1000 mails are sent from.