Merging results of similar aggregation buckets to perform union and intersect


#1

Here is an example of the aggregation bucket results that I have now:
"aggregations":{
"by ip":{
"buckets":[
{
"key":"192.168.0.1",
"doc_count":2,
"by date":{
"buckets":[
{
"key_as_string":"2018-01-01T00:00:00.000Z",
"key":1111000000000,
"doc_count":1,
"by ports":{
"buckets":[
{
"key":"TCP1",
"doc_count":1
},
{
"key":"TCP2",
"doc_count":1
}
]
}
},
{
"key_as_string":"2018-01-02T00:00:00.000Z",
"key":1000000000000,
"doc_count":1,
"by ports":{
"buckets":[
{
"key":"TCP2",
"doc_count":1
},
{
"key":"UDP1",
"doc_count":1
}
]
}
]
}
}

How do I merge the results of the 2 bucket days together to get calculations such as the union and intersect of the ports that I can set to new aggregation buckets?

Union: TCP1, TCP2, UDP1
Intersect: TCP2

It seems that the default bucket and pipeline aggregation features are unable to perform this. Would a painless/python bucket script aggregation work and are there any other alternative methods?


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.