How to count the quantity of documents?

f26227279 · December 29, 2017, 4:27am

this is my restful api:
I want to sum the document(total),besides the protocol 17 and 6 .
How can I do.
"Udp|Tcp" : {
"terms" : {
"field" : "PROTOCOL",
"include" : ["17", "6"]
}
}
response:
"Udp|Tcp": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": 6,
"doc_count": 60
},
{
"key": 17,
"doc_count": 8
}
]
}
thank you in adcance!

Magnus_Kessler · December 29, 2017, 6:36am

Hi 張皓翔,

Does the following query achieve your goal? It returns the sum of documents that have either a PROTOCOL value of 6 or 17 in the total hits from the query part, and then spells out the number of documents in each bucket in the aggregation part separately.

{
  "size": 0,
  "query": {
    "bool": {
      "must": [
        {
          "terms": {
            "PROTOCOL": [
              "6",
              "17"
            ]
          }
        }
      ]
    }
  }, 
  "aggs": {
    "Udp|Tcp": {
      "terms": {
        "field": "PROTOCOL",
        "include": ["6", "17"], 
        "size": 2
      }
    }
  }
}

f26227279 · December 29, 2017, 6:45am

could I return the total documents counts, instead of only the protocol 6 and 17?

thank you in advance!

Magnus_Kessler · December 29, 2017, 6:53am

Yes, just replace the must query with a match_all query:

  "query": {
    "match_all": {}
  },

You can also leave out the query block completely. Without the query block, the response will still contain the total number of documents the aggregation is based on.

f26227279 · December 30, 2017, 11:15am

now this is my Restful API:

GET logstash-2017.12.30/_search
{
"_source": {
  "includes": [ "FIRST_SWITCHED", "LAST_SWITCHED","IPV4_DST_ADDR","L4_DST_PORT","IPV4_SRC_ADDR","L7_PROTO_NAME","PROTOCOL"]
},
"from" : 0, "size" : 0,
"query": {
"bool": {
 "should": [
    {
        "term":{"IPV4_DST_ADDR":"192.168.0.159"}
    },
    {
        "term":{"IPV4_SRC_ADDR":"192.168.0.159"}
    }
  ],
  "minimum_should_match": 1,
  "must":
    {
      "range" : {
        "LAST_SWITCHED" : {
            "gte" : 1514631927
        }
        }
    }
}
},
"aggs": {
    "Udp|Tcp" : {
         "terms" : {
             "field" : "PROTOCOL",
             "include" : ["17", "6"]      
            }
  },"OtherSessions":{
       "terms" : {
             "field" : "PROTOCOL",
             "exclude" : ["17", "6"]      
            }
    
  }
}
}

and the response documents such like:

 "aggregations": {
"Udp|Tcp": {
  "doc_count_error_upper_bound": 0,
  "sum_other_doc_count": 0,
  "buckets": [
    {
      "key": 6,
      "doc_count": 34
    },
    {
      "key": 17,
      "doc_count": 34
    }
  ]
},
"OtherSessions": {
  "doc_count_error_upper_bound": 0,
  "sum_other_doc_count": 0,
  "buckets": [
    {
      "key": 2,
      "doc_count": 3
    },
    {
      "key": 1,
      "doc_count": 2
    }
  ]
}

and my goal is:
"buckets": [
{
"key": 6,
"doc_count": 34
},
{
"key": 17,
"doc_count": 34
},
"others"
"doc_count":xxx
]
need not list other key except 17 and 6.
thank you in advance

system · January 27, 2018, 11:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.