ES基本的聚合查询

按protocol聚合

{
  "_source": "protocol", 
  "size": 1,
  "aggs": {
    "agg_protocols": {
      "terms": {
        "field": "protocol.raw",
        "size": 1000
      }
    }
  }
}

指定地区,按port聚合

{
  "query": {
    "constant_score": {
      "filter": {
        "bool": {
          "must": [
            {
              "bool": {
                "filter": {
                  "term": {
                    "geoip.country_code2.raw": "ID"
                  }
                }
              }
            }
          ]
        }
      }
    }
  },
  "size": 0,
  "aggs": {
    "agg_port": {
      "terms": {
        "field": "port",
        "size": 9999
      }
    }
  }
}

指定地区和时间段,按ip聚合

{
  "query": {
    "constant_score": {
      "filter": {
        "bool": {
          "must": [
            {
              "bool": {
                "filter": {
                  "term": {
                    "geoip3.country_code2": "ID"
                  }
                }
              }
            },
            {
              "range": {
                "lastupdatetime": {
                  "gte": "2020-01-01 00:00:00",
                  "lt": "2021-01-01 00:00:00"
                }
              }
            }
          ]
        }
      }
    }
  },
  "_source": ["ip", "port", "protocol"],
  "size": 0,
  "aggs": {
    "distinct_ips": {
      "cardinality": {
        "field": "ip",
        "precision_threshold": 40000
      }
    }
  }
}

并且

{
  "query": {
    "constant_score": {
      "filter": {
        "bool": {
          "must": [
            {
              "bool": {
                "filter": {
                  "term": {
                    "port": "80"
                  }
                }
              }
            },
            {
              "bool": {
                "filter": {
                  "term": {
                    "geoip2.country_code2": "VN"
                  }
                }
              }
            }
          ]
        }
      }
    }
  },
  "_source": [],
  "size": 1,
  "aggs": {
    "distinct_ips": {
      "cardinality": {
        "field": "ip",
        "precision_threshold": 40000
      }
    }
  }
}

按port=80, 并且地区行等于 ID 或者 VN

cardinality : 独立IP数

{
  "query": {
    "constant_score": {
      "filter": {
        "bool": {
          "must": [
            {
              "bool": {
                "filter": {
                  "term": {
                    "port": "80"
                  }
                }
              }
            },
            {
              "bool": {
                "should": [
                  {
                    "match": {
                      "geoip3.country_code2": "ID"
                    }
                  },
                  {
                    "match": {
                      "geoip3.country_code2": "VN"
                    }
                  }
                ]
              }
            }
          ]
        }
      }
    }
  },
  "_source": [
    "ip",
    "port",
    "geoip3"
  ],
  "size": 2,
  "aggs": {
    "distinct_ips": {
      "cardinality": {
        "field": "ip",
        "precision_threshold": 40000
      }
    }
  }
}

聚合再求独立ip数

{
  "query": {
    "constant_score": {
      "filter": {
        "bool": {
          "must": [
            {
              "bool": {
                "should": [
                  {
                    "term": {
                      "asn.as_organization": "Sen"
                    }
                  },
                  {
                    "term": {
                      "asn.as_organization": "Tt"
                    }
                  }
                ]
              }
            }
          ]
        }
      }
    }
  },
  "_source": [
    "ip"
  ],
  "size": 0,
  "aggs": {
    "agg_country_name": {
      "terms": {
        "field": "geoip.country_name.raw",
        "size": 10
      },
      "aggs": {
        "agg_country_name_ip": {
          "cardinality": {
            "field": "ip"
          }
        }
      }
    }
  }
}

效果:

参考:
https://www.jianshu.com/p/1b430a637971

[Haima的博客] http://www.cnblogs.com/haima/
posted @ 2021-07-27 00:31  HaimaBlog  阅读(26)  评论(0编辑  收藏  举报