How to merge the two query syntax

f26227279 · December 29, 2017, 6:55am

I have two syntax to query, and I want to merge them together, so I need only query one time .
How can I do it?
this is my restful api:

GET _search
{
"size" : 0,
"query": {
"bool": {
  "must": [
    {
        "match" : { "_index" : "logstash-2017.12.29" }
    },
    {
        "match_phrase":{"IPV4_DST_ADDR":"120.127.182.114"}
    },
    {
      "range" : {
        "LAST_SWITCHED" : {
            "gte" : 1514513376
        }
        }
    }
    
  ]
}
},
"aggs": {
  "IN_PKTS": {
    "sum": {
      "field": "IN_PKTS"
    }
  },
  "IN_BYTES": {
    "sum": {
      "field": "IN_BYTES"
    }
  },
  "OUT_BYTES": {
    "sum": {
      "field": "OUT_BYTES"
    }
  },
  "OUT_PKTS": {
    "sum": {
      "field": "OUT_PKTS"
    }
  },
  "genres":{
    "terms" : {
            "field" : "L7_PROTO_NAME.keyword",
            "order" : { "in_bytes" : "desc" }
        },
    "aggs":{
      "in_bytes": {
      "sum": { "field":"IN_BYTES"}
    }
    }
  },
    "Udp|Tcp" : {
         "terms" : {
         
             "field" : "PROTOCOL"  
              
            }
  },
    "Using_port_count" : {                 
        "cardinality" : {
            "field" : "L4_SRC_PORT"
        }
    }
 }   
}

and I want to change the IPV4_DST_ADDR field to IPV4_SRC_ADDR and query again.

thank you in advance:slight_smile:

Magnus_Kessler · December 29, 2017, 7:24am

Hi 張皓翔,

If I understand your question correctly you want to search for all entries that match either IPV4_DST_ADDR or IPV4_SRC_ADDR to be 120.127.182.114.

As these are IP addresses, I'd recommend storing them in a field with the IP data type. This will allow you to query for subnets in addition to exact IP addresses.

Your query should contain a should boolean query block, such as

    "bool": {
      "should": [
        {
          "term": {
            "IPV4_DST_ADDR": {
              "value": "120.127.182.114"
            }
          }
        },
        {
          "term": {
            "IPV4_SRC_ADDR": {
              "value": "120.127.182.114"
            }
          }
        }
      ],
      "minimum_should_match": 1
    }

Also, rather than matching on the value of the _index field, please invoke the REST API call on the index name directly:

GET logstash-2017.12.29/_search
{
  ... query goes here ...
}

f26227279 · December 29, 2017, 7:30am

yes. it's very closely.

and when I query the IPV4_SRC_ADDR:120.127.182.114
I want to count:

"aggs":{
  "in_bytes": {
  "sum": { "field":"IN_BYTES"}  //change to OUT_BYTES
}
}
}

thank you

Magnus_Kessler · December 29, 2017, 7:42am

Simply add another aggregation into the same aggs block?

"aggs":{
  "in_bytes": {
    "sum": {
      "field":"IN_BYTES"
    }
  },
  "out_bytes": {
    "sum": {
      "field": "OUT_BYTES"
    }
  }
}

f26227279 · December 29, 2017, 7:48am

yes, my code is the same with you .
but it can't distinguish in_bytes and out_bytes belongs to IPV4_SRC_ADDR:120.127.182.114
or IPV4_DST_ADDR:120.127.182.114

because I want to sum:
IPV4_SRC_ADDR:120.127.182.114 in_bytes+IPV4_DST_ADDR:120.127.182.114 out_bytes

Magnus_Kessler · December 29, 2017, 7:54am

Have a look at Filter Aggregations. You'll have to set up different aggregations for IPV4_DST_ADDR and IPV4_SRC_ADDR, and apply the appropriate filter for each.

f26227279 · December 29, 2017, 10:37am

great thank you! this is the answer way.

system · January 26, 2018, 10:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.