bucket\u sort不适用于结果只适用于父agg

yacmzcpb  于 2021-06-10  发布在  ElasticSearch
关注(0)|答案(0)|浏览(266)
{
    "aggs":{
        "src_ip":{
            "terms":{
                "size":9999,
                "field":"src_ip.keyword"
            },
            "aggs":{
                "threat_target":{
                    "terms":{
                        "field":"threat_target.keyword"
                    },
                    "aggs":{
                        "first_time":{
                            "min":{
                                "field":"timestamp"
                            }
                        },
                        "last_time":{
                            "max":{
                                "field":"timestamp"
                            }
                        },
                        "source":{
                            "top_hits":{
                                "_source":[
                                    "src_ip",
                                    "threat_target"
                                ],
                                "size":1
                            }
                        },
                        "bucket_sort":{
                            "bucket_sort":{
                                "sort":{
                                    "last_time":{
                                        "order":"desc"
                                    }
                                },
                                "from":0,
                                "size":5
                            }
                        }
                    }
                }
            }
        }
    },
    "size":0
}

如何让 bucket_sort 为结果而工作的不仅仅是父母?

SELECT
    max( timestamp ) AS first_time,
    min( timestamp ) AS last_time,
    src_ip,
    threat_target ,
    count(*) as count
FROM
    traffic 
GROUP BY
    src_ip,
    threat_target

ORDER BY
  first_time desc

LIMIT 0 ,10

暂无答案!

目前还没有任何答案,快来回答吧!

相关问题