How to filter document count?

f26227279 · July 17, 2018, 4:53am

Hi, I want to filter document count. If there's an IP which document count doesn't exceed 10 then I want to filter it out.
my REST API query:

GET /_search
  {
  "size" : 0,
  "query": {
    "bool": {
      "should": [
        {
            "match":{"IPV4_DST_ADDR":"192.168.0.0/16"}
        },
        {
            "match":{"IPV4_SRC_ADDR":"192.168.0.0/16"}
        },
        {
          "range":{
            "@timestamp":{
            "gte":"2017-10-20T11:00:00",
            "lt":"now"
            }
          }
        }
      ],
      "minimum_should_match": 2
    }
  },
    "aggs": {
      "DST_Local_IP": {
      "filter": {
        "bool": {
          "filter": {
              "match":{"IPV4_DST_ADDR":"192.168.0.0/16"}
            }
          }
        },
      "aggs": {
         "dst_local_ip" : {
             "terms" : {
                 "field" : "IPV4_DST_ADDR",
                 "size": 100000
              }
            }
         }
      }, 
      "SRC_Local_IP": {
      "filter": {
        "bool": {
          "filter": {
              "match":{"IPV4_SRC_ADDR":"192.168.0.0/16"}
            }
          }
        },
      "aggs": {
         "src_local_ip" : {
             "terms" : {
                 "field" : "IPV4_SRC_ADDR",
                 "size": 100000
              }
            }
         }
      }
   }
}

thank you in advance!

system · August 14, 2018, 5:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.