Histogram aggregation on ip addresses

any_any_drop · March 19, 2017, 2:53pm

Hi there,
in ES 2 I've been using histogram aggregations to count the number of ip addresses in class c (/24) networks like so:

    "NETWORKS": {
      "histogram": {
        "field": "ip",
        "interval": 256
      } } }```

Result:
``` {"key_as_string": "10.11.11.0",
          "key": 168495872,
          "doc_count": 5 },
        { "key_as_string": "10.11.12.0",
          "key": 168496128,
          "doc_count": 5 }```

Using ES 5 the aggregation does not work any more:
```"caused_by": {
          "type": "illegal_argument_exception",
          "reason": "Expected numeric type on field [ip], but got [ip]"
        }```

I was thinking about calculating these values using scripts, but they (painless) don't seem to handle ip addresses:  [Scripts can't handle IP fields #20067](https://github.com/elastic/elasticsearch/issues/20067).
Another idea was to use [IP Range Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-iprange-aggregation.html) but it does not work with unknown network ranges.

Does anyone have an idea how to accomplish this in ES 5?

Thanks and cheers,
Markus

ywelsch · March 24, 2017, 9:41am

Scripts on ip addresses should work since ES 5.2.0, see

and the example:

https://github.com/elastic/elasticsearch/blob/master/modules/lang-painless/src/test/resources/rest-api-spec/test/painless/50_script_doc_values.yaml

Alternatively you could also categorize the IP address at index time and then use a simple keyword field to store the class c information, and then use a term aggregation on that field to do the count.

system · April 21, 2017, 9:41am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.