HI,
I am using elasticsearch 5.3 and need to calculate top 50 client_ip and order by 1m-peak-value in one day .
like this , I try to use a 1 size date_histogram to get the peak value,
"aggs": {
"client_ip": {
"terms": {
"field": "ClientIp",
"order": {"timeline>pktlen": "desc"},
"size": 50
},
"aggs": {
"timeline": {
"date_histogram": {
"field": "ts",
"interval": "1m",
"order": {"pktlen": "desc"},
"size": 1
},
"aggs": {
"pktlen": {
"sum": {
"field": "PktLen_Sum"
}
}
}
}
}
}
}
Sadly, it gets two errors
-
Terms buckets can only be sorted on a sub-aggregator path that is built out of zero or more single-bucket aggregations within the path and a final single-bucket or a metrics aggregation at the path end
-
Date histogram not support size
So how can I get the top 50 client_ip ordered by peak value