I need to aggregate by multi fields : [srcMac, dstMac, srcIp, dstIp, srcPort, dstPort, protocol], so I add a field "groupKey" and then aggregate by it.
the mappings is:
{
"mappings": {
"_doc": {
"properties": {
"createTime": {
"type": "long"
},
"dstIp": {
"type": "keyword",
"ignore_above": 256
},
"dstMac": {
"type": "keyword",
"ignore_above": 256
},
"dstPort": {
"type": "keyword",
"ignore_above": 256
},
"endTime": {
"type": "long"
},
"groupKey": {
"type": "keyword",
"ignore_above": 256
},
"length": {
"type": "float"
},
"protocol": {
"type": "keyword",
"ignore_above": 256
},
"srcIp": {
"type": "keyword",
"ignore_above": 256
},
"srcMac": {
"type": "keyword",
"ignore_above": 256
},
"srcPort": {
"type": "keyword",
"ignore_above": 256
},
"startTime": {
"type": "long"
}
}
}
}
}
the data like below:
{
"srcMac": "00:18:7d:d5:7f:03",
"dstMac": "00:a0:1e:14:0b:15",
"srcIp": "172.20.99.11",
"dstIp": "172.20.11.21",
"srcPort": "38252",
"dstPort": "102",
"protocol": "mms",
"groupKey": "00:18:7d:d5:7f:03#00:a0:1e:14:0b:15#172.20.99.11#172.20.11.21#38252#102#mms",
"length": 287,
"createTime": 1640363400229,
"startTime": 1640275200000,
"endTime": 1640361599999
}
Here is my query:
{
"size": 0,
"query": {...},
"aggregations": {
"aggTotal": {
"cardinality": {
"field": "groupKey"
}
},
"grouping": {
"terms": {
"field": "groupKey",
"size": 50,
"min_doc_count": 1,
"order": [
{
"sendTimeMax": "desc"
},
{
"_key": "asc"
}
]
},
"aggregations": {
"lengthMin": {
"min": {
"field": "length"
}
},
"lengthMax": {
"max": {
"field": "length"
}
},
"lengthAvg": {
"avg": {
"field": "length"
},
"sendTimeMax": {
"max": {
"field": "startTime"
}
}
}
}
}
}
}
Now I need to sort by srcIp or dstIp, srcMac, dstMac after aggragation, but the data after aggragation don't have the field srcIp, only have field "groupKey", what can I do to sort after aggragation.