Greetings community,
I'm new to elasticsearch, so first of all sorry for my questions being so
basic.
I developed a flow collector which dumps flows to my elasticsearch server.
Right now i use Kibana to perform the Top 10 destination and Top 10 source
IPs filters, and such.
But the query I'm having more difficulties about is knowing the Top 10
combination of (source + dest + dest_port) so that I can know what the top
flows are, and from which IPs and to which destinations and protocols.
Example:
{
"aggs":{
"tupulo_teste":{
"value_count":{
"field":"SRC_ADDR",
"field":"DST_ADDR",
"field":"DST_PORT"
}
}
}
}
This does not compute all combinations of (SRC_ADDR, DST_ADDR, DST_PORT)
nor even sort it giving the Top10 hits. If you are familiar with splunk, I
need the equivalent of "stats count by a,b,c | sort 10 -count"
I've tried:
{
"aggs":{
"src":{
"terms":{"field": "SRC_ADDR"},
"aggs":{
"dst":{
"terms":{"field": "DST_ADDR"},
"aggs":{
"dstprt":{
"terms":{"field":
"DST_PORT"}
}
}
}
}
}
}
but this produces a strange and long combination, also without sorting.
Can someone please help me on how to do this result combination, with a
sort by occurence count?
Thank you
--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/f2c7bad6-dbd7-4edd-b3bd-a9cc6018e7a7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.