How to filter unique value in REST API


(張皓翔) #1

I want to filter unique IP regardless it's in DST_Local_IP or in SRC_Local_IP.
this is my REST API:

GET /_search
  {
  "size" : 0,
  "query": {
    "bool": {
      "should": [
        {
            "match":{"IPV4_DST_ADDR":"120.127.0.0/16"}
        },
        {
            "match":{"IPV4_SRC_ADDR":"120.127.0.0/16"}
        },
        {
          "range" : {
            "LAST_SWITCHED" : {
                "gte" : 0
             }
          }
        }
      ],
      "minimum_should_match": 2
    }
  },
    "aggs": {
      "DST_Local_IP": {
      "filter": {
        "bool": {
          "filter": {
              "match":{"IPV4_DST_ADDR":"120.127.0.0/16"}
            }
          }
        },
      "aggs": {
         "dst_local_ip" : {
             "terms" : {
                 "field" : "IPV4_DST_ADDR",
                 "size": 10000
              }
            }
         }
      }, 
      "SRC_Local_IP": {
      "filter": {
        "bool": {
          "filter": {
              "match":{"IPV4_SRC_ADDR":"120.127.0.0/16"}
            }
          }
        },
      "aggs": {
         "src_local_ip" : {
             "terms" : {
                 "field" : "IPV4_SRC_ADDR",
                 "size": 10000
              }
            }
         }
      }
   }
}

I want the return value is distinct because the ip in DST_Local_IP may be in SRC_Local_IP duplicated, but I just want the unique ip regardless the ip is in DST_Local_IP or SRC_Local_IP.

How can I do?could you give me some idea:)

thank you in advance!


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.