"aggs": {
"2": {
"date_histogram": {
"field": "@timestamp",
"interval": "30s",
"time_zone": "Asia/Shanghai",
"min_doc_count": 1
},
"aggs": {
"3": {
"terms": {
"field": "flow.src_addr.keyword",
"order": {
"_count": "desc"
},
"size": 5
}
}
}
}
I want to show top 5 ip with time series like the kibana visual builder.
But this aggregation can onliy get top 5 ip in every intervals.
I want only 5 ip with the date histogram , not every intervals.
if you are only interested in the top 5, then why not use a terms aggregation on the src address field? What am I missing that is not covered by that? Or do you want to take the intervals into account? Some more context except a query JSON would be helpful.
Thanks!
Thanks for your reply. Actually, i want to the top 10 ip in the nearest interval. And then show the 10 ip goup by every 5 minutes. It seems that i have to make two queries.
I used kibana visual builder before. It worked like this. So I wonder if I can make it in one query.
Hey,
you can have several aggregations in one search request. Is this for a visualization or for yourself? Just to make sure I understand. the request...
--Alex
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.