Hi,
I got a metric with various SUM of bytes. Now I want to use the json input field to separate the SUM per subnet (e.g. 192..., 172...) .
However I have no clue how the json format is supposed to look. The documentation is no help at all.
How can I create a json search that searches for 192.168.0.*?
edit: something like {"dst_addr":"192.168.0.*"} just results in errors.
I don't think you want to use the JSON input to do the separation. You probably want to use a "Split Group" bucket aggregation to define the groups/buckets that you want "sum of bytes" aggregation to be calculated in.
Since it seems you want to group by an IPv4 address I recommend using the "IPv4 Range" bucket aggregation and then define the address ranges that you want represented on the dst_addr field. If you're comfortable with CIDR masks, you can use those too.
My data is a little different from yours, so I used different ranges, but this is what I did to split the metric by IP range:
Thanks. I don't have my fields configured for the IP type though. Can't remember why I didn't do that. The IP field type does support wildcard searches? Some of my dashboards rely on being able to do something like 192.168.0.*.
I’m not 100% sure you can use wildcards but you can use CIDR notation, so you could write 192.168.0.0/24 Which roughly translates to 192.168.0.*
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
