Here is an example of the aggregation bucket results that I have now:
"aggregations":{
"by ip":{
"buckets":[
{
"key":"192.168.0.1",
"doc_count":2,
"by date":{
"buckets":[
{
"key_as_string":"2018-01-01T00:00:00.000Z",
"key":1111000000000,
"doc_count":1,
"by ports":{
"buckets":[
{
"key":"TCP1",
"doc_count":1
},
{
"key":"TCP2",
"doc_count":1
}
]
}
},
{
"key_as_string":"2018-01-02T00:00:00.000Z",
"key":1000000000000,
"doc_count":1,
"by ports":{
"buckets":[
{
"key":"TCP2",
"doc_count":1
},
{
"key":"UDP1",
"doc_count":1
}
]
}
]
}
}
How do I merge the results of the 2 bucket days together to get calculations such as the union and intersect of the ports that I can set to new aggregation buckets?
Union: TCP1, TCP2, UDP1
Intersect: TCP2
It seems that the default bucket and pipeline aggregation features are unable to perform this. Would a painless/python bucket script aggregation work and are there any other alternative methods?