How to perform sum aggregation and term aggregation in single query?

Harish_fragger · February 24, 2022, 11:09am

I want to know if there is a method to write a query that can get the sum of a field value and such type of fields top 10 occurrences. For example, if I have 20 IP address in 100 documents and each document also tells me the amount of bytes sent and received by that IP at a point of time.

{ 'ip' : "192.168.0.1",
"sentbytes" : "20",
"receivebytes" : "10",
},
{ 'ip' : "183.19.22.15",
"sentbytes" : "20",
"receivebytes" : "10",
},
and so on

Is there a concept where I will get the top 10 IP's that have shared the maximum amount of send bytes and IP's that have max. receive bytes.

I know that Term aggregation will give me top 10 occurrences of IP and sum will sum up the IP's but I want to kind of merge these 2 functionalities.

Example output:
{ 'ip' : "192.168.0.1",
"sentbytes" : "100",
"receivebytes" : 200,
}
{ 'ip' : "183.19.22.15",
"sentbytes" : "20",
"receivebytes" : "10",
}

NOTE: My sentBytes and receivebytes are of type KEYWORD

spinscale · February 24, 2022, 3:52pm

Just to be sure, we're talking about the same thing, maybe provide a small example and expected result.

First, you can have a terms aggregation and then within each term (which is an IP) you could have a sum aggregation.

Second, if you want to do math operations like summing values up, your field types MUST be numbers and not keywords.

Hope this helps as a start.

system · March 24, 2022, 3:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.