{
"aggs":{
"src_ip":{
"terms":{
"size":9999,
"field":"src_ip.keyword"
},
"aggs":{
"threat_target":{
"terms":{
"field":"threat_target.keyword"
},
"aggs":{
"first_time":{
"min":{
"field":"timestamp"
}
},
"last_time":{
"max":{
"field":"timestamp"
}
},
"source":{
"top_hits":{
"_source":[
"src_ip",
"threat_target"
],
"size":1
}
},
"bucket_sort":{
"bucket_sort":{
"sort":{
"last_time":{
"order":"desc"
}
},
"from":0,
"size":5
}
}
}
}
}
}
},
"size":0
}
如何让 bucket_sort
为结果而工作的不仅仅是父母?
SELECT
max( timestamp ) AS first_time,
min( timestamp ) AS last_time,
src_ip,
threat_target ,
count(*) as count
FROM
traffic
GROUP BY
src_ip,
threat_target
ORDER BY
first_time desc
LIMIT 0 ,10
暂无答案!
目前还没有任何答案,快来回答吧!