Moustache script syntax for aggregated buckets

Elastic Stack Elasticsearch
1

Hi All,

I'm sure this is a no brainer question.

I have a search followed by this aggregation:

            "aggs": {
                "destination_ip": {
                        "significant_terms": {
                            "field": "destination.ip"
                            }
                        },
                    "aggs": {
                           "terms": {
                              "field": "source.ip"
                            } 
                        }
            }

The output of the results (in watcher) for the aggregation is as follows:

        "aggregations": {
          "destination_ip": {
            "doc_count": 81,
            "buckets": [
              {
                "score": 322616.8342162003,
                "doc_count": 41,
                "bg_count": 253,
                "key": "8.8.8.8"
              },
              {
                "score": 304662.9287142383,
                "doc_count": 40,
                "bg_count": 255,
                "key": "192.168.123.128"
              }
            ],
            "bg_count": 318574164
          },
          "aggs": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
              {
                "doc_count": 41,
                "key": "116.12.209.226"
              },
              {
                "doc_count": 40,
                "key": "192.168.123.137"
              }
            ]
          }
        }
      },

I'm trying to generate an email with
Destination <IP> source <source_ip> <document count>

There are {{ctx.payload.aggregations.destination_ip.buckets.size}}
{{#ctx.payload.aggregations.destination_ip.buckets}}
Destination {{key}} Source {{ctx.payload.aggregations.destination_ip.aggregations.buckets.key}} Count {{ctx.payload.aggregations.destination_ip.aggregations.buckets.doc_count}}
{{/ctx.payload.aggregations.destination_ip.buckets}}

All I am getting is
There are 2
Destination 8.8.8.8 Source Count
Destination 116.12.209.226 Source Count

Can someone tell me the correct syntax to get the second bucket info?
I was hoping for a report like
There are 2
Destination 8.8.8.8 Source 192.168.123.128 Count 40
Destination 116.12.209.226 Source 192.168.123.137 Count 40

Thanks alot!

Regards,

Michael

2

Just an update:

I've modified the aggregation to this

            "aggs": {
              "destination_ip": {
                "composite": {
                  "size": 100,
                  "sources": [
                    {
                      "dest_ip": {
                        "terms": {
                          "field": "destination.ip"
                        }
                      }
                    }
                  ]
                },
                "aggs": {
                  "source_ip": {
                    "terms": {
                      "field": "source.ip"
                    }
                  }
                }
              }
            }
          }
        }

And the return is

        "aggregations": {
          "destination_ip": {
            "buckets": [
              {
                "doc_count": 13,
                "key": {
                  "dest_ip": "110.54.238.91"
                },
                "source_ip": {
                  "doc_count_error_upper_bound": 0,
                  "sum_other_doc_count": 0,
                  "buckets": []
                }
              },
              {
                "doc_count": 608,
                "key": {
                  "dest_ip": "116.12.209.226"
                },
                "source_ip": {
                  "doc_count_error_upper_bound": 0,
                  "sum_other_doc_count": 350,
                  "buckets": [
                    {
                      "doc_count": 182,
                      "key": "92.63.197.68"
                    },
                    {
                      "doc_count": 17,
                      "key": "51.38.212.60"
                    },
                    {
                      "doc_count": 13,
                      "key": "108.62.104.102"
                    },
                    {
                      "doc_count": 9,
                      "key": "216.250.254.134"
                    },
                    {
                      "doc_count": 7,
                      "key": "116.15.24.15"
                    },
                    {
                      "doc_count": 7,
                      "key": "119.61.0.141"
                    },
                    {
                      "doc_count": 6,
                      "key": "45.143.200.110"
                    },
                    {
                      "doc_count": 6,
                      "key": "180.129.110.127"
                    },
                    {
                      "doc_count": 6,
                      "key": "203.125.194.88"
                    },
                    {
                      "doc_count": 5,
                      "key": "3.89.48.72"
                    }
                  ]
                }
              },
              {
                "doc_count": 1954,
                "key": {
                  "dest_ip": "192.168.123.255"
                },
                "source_ip": {
                  "doc_count_error_upper_bound": 0,
                  "sum_other_doc_count": 31,
                  "buckets": [
                    {
                      "doc_count": 1570,
                      "key": "192.168.123.12"
                    },
                    {
                      "doc_count": 69,
                      "key": "192.168.123.202"
                    },
                    {
                      "doc_count": 66,
                      "key": "192.168.123.107"
                    },
                    {
                      "doc_count": 65,
                      "key": "192.168.123.108"
                    },
                    {
                      "doc_count": 65,
                      "key": "192.168.123.109"
                    },
                    {
                      "doc_count": 23,
                      "key": "192.168.123.97"
                    },
                    {
                      "doc_count": 17,
                      "key": "192.168.123.31"
                    },
                    {
                      "doc_count": 17,
                      "key": "192.168.123.124"
                    },
                    {
                      "doc_count": 17,
                      "key": "192.168.123.144"
                    },
                    {
                      "doc_count": 14,
                      "key": "192.168.123.125"
                    }
                  ]
                }
              },
              {
                "doc_count": 5,
                "key": {
                  "dest_ip": "208.91.114.23"
                },
                "source_ip": {
                  "doc_count_error_upper_bound": 0,
                  "sum_other_doc_count": 0,
                  "buckets": [
                    {
                      "doc_count": 5,
                      "key": "116.12.209.226"
                    }
                  ]
                }
              },
              {
                "doc_count": 1581,
                "key": {
                  "dest_ip": "255.255.255.255"
                },
                "source_ip": {
                  "doc_count_error_upper_bound": 0,
                  "sum_other_doc_count": 0,
                  "buckets": [
                    {
                      "doc_count": 1570,
                      "key": "192.168.123.12"
                    },
                    {
                      "doc_count": 11,
                      "key": "0.0.0.0"
                    }
                  ]
                }
              }
            ],
            "after_key": {
              "dest_ip": "255.255.255.255"
            }
          }
        }
      },

How do I access the results?
I've tried this.. but it only returns the primary destination ip key.

{{#ctx.payload.aggregations.destination_ip.buckets}}
{{key.dest_ip}} {{#ctx.payload.aggregations.source_ip.buckets}}
            {{key}}
{{/ctx.payload.aggregations.source_ip.buckets}}
{{/ctx.payload.aggregations.destination_ip.buckets}}

I only get the list of key.dest_ip

Thanks for the help.

3

Okay found the answer

{{#ctx.payload.aggregations.destination_ip.buckets}}
{{key.dest_ip}} 
{{#source_ip.buckets}}
        {{key}}         Count={{doc_count}}
{{/source_ip.buckets}}
{{/ctx.payload.aggregations.destination_ip.buckets}}
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.