Sort After Aggregation

aosrc · December 29, 2021, 2:36am

I need to aggregate by multi fields : [srcMac, dstMac, srcIp, dstIp, srcPort, dstPort, protocol], so I add a field "groupKey" and then aggregate by it.
the mappings is:

    {
      "mappings": {
        "_doc": {
          "properties": {
            "createTime": {
              "type": "long"
            },
            "dstIp": {
              "type": "keyword",
              "ignore_above": 256
            },
            "dstMac": {
              "type": "keyword",
              "ignore_above": 256
            },
            "dstPort": {
              "type": "keyword",
              "ignore_above": 256
            },
            "endTime": {
              "type": "long"
            },
            "groupKey": {
              "type": "keyword",
              "ignore_above": 256
            },
            "length": {
              "type": "float"
            },
            "protocol": {
              "type": "keyword",
              "ignore_above": 256
            },
            "srcIp": {
              "type": "keyword",
              "ignore_above": 256
            },
            "srcMac": {
              "type": "keyword",
              "ignore_above": 256
            },
            "srcPort": {
              "type": "keyword",
              "ignore_above": 256
            },
            "startTime": {
              "type": "long"
            }
          }
        }
      }
    }

the data like below:

    {
      "srcMac": "00:18:7d:d5:7f:03",
      "dstMac": "00:a0:1e:14:0b:15",
      "srcIp": "172.20.99.11",
      "dstIp": "172.20.11.21",
      "srcPort": "38252",
      "dstPort": "102",
      "protocol": "mms",
      "groupKey": "00:18:7d:d5:7f:03#00:a0:1e:14:0b:15#172.20.99.11#172.20.11.21#38252#102#mms",
      "length": 287,
      "createTime": 1640363400229,
      "startTime": 1640275200000,
      "endTime": 1640361599999
    }

Here is my query:

    {
      "size": 0,
      "query": {...},
      "aggregations": {
        "aggTotal": {
          "cardinality": {
            "field": "groupKey"
          }
        },
        "grouping": {
          "terms": {
            "field": "groupKey",
            "size": 50,
            "min_doc_count": 1,
            "order": [
              {
                "sendTimeMax": "desc"
              },
              {
                "_key": "asc"
              }
            ]
          },
          "aggregations": {
            "lengthMin": {
              "min": {
                "field": "length"
              }
            },
            "lengthMax": {
              "max": {
                "field": "length"
              }
            },
            "lengthAvg": {
              "avg": {
                "field": "length"
              },
              "sendTimeMax": {
                "max": {
                  "field": "startTime"
                }
              }
            }
          }
        }
      }
    }

Now I need to sort by srcIp or dstIp, srcMac, dstMac after aggragation, but the data after aggragation don't have the field srcIp, only have field "groupKey", what can I do to sort after aggragation.

Tomo_M · December 29, 2021, 5:02am

Hi @aosrc !

Bucket sort aggregation will help you.

In addition, you may use multi terms aggregation to aggregate by multi fields without concatenated "groupKey" field.

system · January 26, 2022, 5:02am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch 7.15 Multi terms aggregation with several fields, sort by key Elasticsearch	1	491	December 22, 2022
Aggregation sort by timestamp Elasticsearch	1	1273	July 5, 2017
Sort over Aggregations buckets by text field over already sorted result Elasticsearch	0	5	September 10, 2024
ElasticSearch - Sort by another field which is not mentioned in field section aggregation query Elasticsearch	1	326	December 28, 2020
Can elasticsearch do GROUP BY multi fields and ORDER BY count? Elasticsearch	3	26361	May 9, 2019

Sort After Aggregation

Related Topics