hello,
i want to aggregate on a multiple nested fields is there any way to do it here is my mapping:
{
"mappings": {
"_data_stream_timestamp": {
"enabled": true
},
"dynamic_templates": [
{
"match_ip": {
"match": "ip",
"match_mapping_type": "string",
"mapping": {
"type": "ip"
}
}
},
{
"match_message": {
"match": "message",
"match_mapping_type": "string",
"mapping": {
"type": "match_only_text"
}
}
},
{
"strings_as_keyword": {
"match_mapping_type": "string",
"mapping": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
],
"date_detection": false,
"properties": {
"@timestamp": {
"type": "date"
},
"@version": {
"type": "keyword",
"ignore_above": 1024
},
"cisco": {
"type": "nested",
"properties": {
"asa": {
"type": "nested",
"properties": {
"connection_id": {
"type": "keyword",
"ignore_above": 1024
},
"duration": {
"type": "keyword",
"ignore_above": 1024
},
"network": {
"type": "nested",
"properties": {
"transport": {
"type": "keyword",
"ignore_above": 1024
}
}
},
"outcome": {
"type": "keyword",
"ignore_above": 1024
},
"rule_name": {
"type": "keyword",
"ignore_above": 1024
},
"tag": {
"type": "keyword",
"ignore_above": 1024
}
}
}
}
},
"data_stream": {
"properties": {
"dataset": {
"type": "constant_keyword",
"value": "generic"
},
"namespace": {
"type": "constant_keyword",
"value": "default"
},
"type": {
"type": "constant_keyword",
"value": "logs"
}
}
},
"destination": {
"type": "nested",
"properties": {
"ip": {
"type": "keyword",
"ignore_above": 1024
},
"port": {
"type": "keyword",
"ignore_above": 1024
}
}
},
"ecs": {
"properties": {
"version": {
"type": "keyword",
"ignore_above": 1024
}
}
},
"event": {
"properties": {
"original": {
"type": "keyword",
"ignore_above": 1024
},
"reason": {
"type": "keyword",
"ignore_above": 1024
}
}
},
"host": {
"properties": {
"hostname": {
"type": "keyword",
"ignore_above": 1024
}
}
},
"log": {
"properties": {
"syslog": {
"properties": {
"facility": {
"properties": {
"code": {
"type": "long"
},
"name": {
"type": "keyword",
"ignore_above": 1024
}
}
},
"priority": {
"type": "long"
},
"severity": {
"properties": {
"code": {
"type": "long"
},
"name": {
"type": "keyword",
"ignore_above": 1024
}
}
}
}
}
}
},
"message": {
"type": "match_only_text"
},
"network": {
"properties": {
"bytes": {
"type": "long"
}
}
},
"observer": {
"properties": {
"egress": {
"properties": {
"interface": {
"properties": {
"name": {
"type": "keyword",
"ignore_above": 1024
}
}
}
}
},
"ingress": {
"properties": {
"interface": {
"properties": {
"name": {
"type": "keyword",
"ignore_above": 1024
}
}
}
}
}
}
},
"source": {
"type": "nested",
"properties": {
"ip": {
"type": "keyword",
"ignore_above": 1024
},
"port": {
"type": "keyword",
"ignore_above": 1024
}
}
}
}
}
}
i want to aggregate on both my source.ip and destination.ip .
thanks.