IP range aggregation

How exactly do I run an aggregation on a range of IP addresses?
Eg., if I need to get sum of 'bytes' on ip ranging like 10.5.0.0-10.5.0.10, how do I do it?

I've looked at IP Range aggregations but am finding it a bit difficult to wrap my head around it.
I get the feeling that the documentation is refering to something like -

from 10.5.0.0 to *
OR
from * to 10.5.0.10

How do I run an aggregation query based on specific IP ranges?

To give a bigger picture, I'm trying to aggregate total volume in terms of bytes, for the last 7 days on a particular set of IP ranges.

This is my query at the moment. It gets me the aggretation, but I want to further filter it down and have it run on only IP ranges.

{
      "size": 0,
      "aggs": {
        "days_filter": {
          "filter": {
            "range": {
              "@timestamp": {
                "gt": "now-6d",
                "lte": "now"
              }
            }
          },
          "aggs": {
            "traffic_aggregation": {
              "date_histogram": {
                "field": "@timestamp",
                "interval": "day"
              },
              "aggs": {
                "in_bytes": {
                  "sum": {
                    "field": "netflow.in_bytes"
                  }
                },
                "out_bytes": {
                  "sum": {
                    "field": "netflow.out_bytes"
                  }
                }
              }
            }
          }
        }

the documentation defines two ranges. One from 10.0.0.5 to anything, one from anything up to 10.0.0.5.

In your case you need to decide where to put this agg. Do you first want to split by day and then by ip range agg or by ip range first and then by day.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.