I have documents that contain e.g. 100 or more different IP addresses, e.g. like this:
{"httpcalls": [
{"dstip":"192.199.2.103"},
{"dstip":"286.199.2.100"},
..... many more
]}
Now let's say I run a "prefix" query to look for IP addresses that start with "286.199", but I only want Elasticsearch to return the "dstip" entries that match.
Is there a way to achieve this?
From what I read so far, I understand that I can only choose between returning ALL "dstip" fields from the documents that matched, or none at all.
The first option means that I receive e.g. 10,000 matching documents with 200 IPs each, i.e. 2,000,000 "dstip" entries. Too much data for me 